[Snort-users] preprocessor alert

Jason Wallace jason.r.wallace at ...11827...
Wed Aug 4 08:04:46 EDT 2010


If you want to limit/suppress this alert for a single host or network,
then take a look at your gen-msg.map. That will give you the GID and
the SID of the preprocessor alert. You can use that information to
create a threshold or suppression statement. If you do not want to
ever see the alert for any host look in preprocessor.rules and disable
the rule.

Wally

On Wed, Aug 4, 2010 at 5:30 AM, ll <ibeginhere at ...11827...> wrote:
> hi,all
> the preprocess create too many alerts. for example "stream5: Limit on
> number of overlapping TCP packets reached".whether I disabled the
> preprocessor stream5 or some way can disabled there alerts ? which will
> be better ? and if I want to disabled some alerts created by the
> preprocessor when I know the the preprocessor SID,how to do that .I just
> know how to disabled the rules when I know the rules SID.
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://p.sf.net/sfu/dev2dev-palm
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list