[Snort-users] alert suppression

Pedro Marinho pppmarinho at ...11827...
Thu May 7 08:53:44 EDT 2009


Hello Jefferson,

>Searching on the IP address in the tagged packet, like Greg suggested and
then sorting them >by timestamp shows that this alert and a couple of tagged
packets all have the same src/dst >IP and port and timestamp in BASE.

>Now I know what they are, I don't want to get rid of them from showing up
in BASE. ;)

>Thanks,
>Shawn

I know a way to get rid of it on base; Log in at mysql
use databasesnort;

First you have to figure it out what is the sig_id of this

select sig_id from signature where sig_name = 'tag: tagged packet';

this query will return a number like 435 for example
then u do another query with the number from the previously query

delete from event where signature = 435;
delete from acid_event where signature = 435;

ps: be carefull!! this will delete all alerts that have the signature msg
"tag: tagged packet" from snort database
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090507/65742fe8/attachment.html>


More information about the Snort-users mailing list