[Snort-users] Snort too verbose

Rick Chisholm rchisholm at ...15434...
Mon Nov 14 12:12:32 EST 2011


done - thanks.

seems to be working.

Seems like I'm doubling up a bit with stuff in threshold.conf and
disablesid.conf since the latter does not seem 100% effective esp. for
3-digit gen_id rules.

On Mon, November 14, 2011 11:57 am, Joel Esler wrote:
> Place them in the threshold.conf that is referenced from your snort.conf
>
> J
>
> On Nov 14, 2011, at 11:36 AM, Rick Chisholm wrote:
>
>> Historically, I used threshold.conf - but apparently that is well
>> deprecated now.  It's the suppress event_filter I think I am interested
>> it
>> - but where do I use these rules?
>>
>>
>> On Mon, November 14, 2011 10:35 am, Joel Esler wrote:
>>> On Nov 14, 2011, at 9:05 AM, Rick Chisholm wrote:
>>>
>>>> Since upgrading to 2.9.1.x I find I'm getting much more verbose
>>>> alerting
>>>> than previously.  Of particular note is http_inspect and ssl_ssp -
>>>> which
>>>> I
>>>> think are from certain preprocessors.  What can I do to mute these?
>>>
>>> Event_filter.
>>>
>>> Look into README.filters in the doc/ directory of the tarball.
>>>
>>> --
>>> Joel Esler
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire
>>>
>>
>>
>> --
>> Rick Chisholm
>> Systems Administrator
>> Parallel42
>>
>
>


-- 
Rick Chisholm
Systems Administrator
Parallel42





More information about the Snort-users mailing list