[Snort-users] Using suppress and syntax

Joel Esler jesler at ...1935...
Thu May 20 09:53:37 EDT 2010


Bill, to answer your second question, yes, the way you have it should work just fine.


On May 19, 2010, at 9:35 PM, Bill Pickens wrote:

> Thanks Shawn,
> It is a version issue for the first question.
>  
> suppress gen_id 1, sig_id 2009955, track by_dst, ip [172.16.1.120,172.16.1.121]
> I just test it on:
>               Version 2.8.4.1 (Build 38) --- It didn, work!
>               Version 2.8.6 (Build 38) ---- It worked!
> 
> 
>  
> On Wed, May 19, 2010 at 5:49 PM, Jefferson, Shawn <Shawn.Jefferson at ...14545...48...> wrote:
> Hi,
> 
>  
> I’m doing this and it works:
> 
>  
> suppress gen_id 1, sig_id 2009955, track by_dst, ip [172.16.1.120,172.16.1.121]
> 
>  
> with Snort v.2.8.5.3
> 
>  
> and I tested your suppress line and it worked for me as well (snort -T), no error message.
> 
>  
> From: Bill Pickens [mailto:wmpickens at ...11827...] 
> Sent: Wednesday, May 19, 2010 1:39 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Using suppress and syntax
> 
>  
> Hello Everyone,
> 
>  
> I want to suppress a rule for a number of servers.
> 
> Can I do that?
> 
> I tried this an it gives me a parsing error:
> 
> suppress gen_id 1, sig_id 469, track by_dst, ip [10.106.88.29,10.102.128.1,10.103.128.2,172.17.17.150]
> 
> 
> Also,
> 
> What would be the proper syntax for the the last line show here:
> 
> var ENT_DNS_SERVERS [10.101.1.1,10.103.1.2,10.105.3.4]
> 
> var LOCAL_DNS_SERVERS [172.6.5.4,172.8.7.3,172.6.6.6]
> 
> var DNS_SERVERS [$ENT_DNS_SERVERS,$LOCAL_DNS_SERVERS]  <--- is this correct? snort doesn't complain
> 
>  
> Thanks
> 
> Bill
> 
>  
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100520/70f0a44b/attachment.html>


More information about the Snort-users mailing list