[Snort-users] Snort too verbose

Joel Esler jesler at ...1935...
Mon Nov 14 12:17:37 EST 2011


If you feel a bug is present in Pulledpork, please file a bug on the pulledpork website.

J

On Nov 14, 2011, at 12:12 PM, Rick Chisholm wrote:

> done - thanks.
> 
> seems to be working.
> 
> Seems like I'm doubling up a bit with stuff in threshold.conf and
> disablesid.conf since the latter does not seem 100% effective esp. for
> 3-digit gen_id rules.
> 
> On Mon, November 14, 2011 11:57 am, Joel Esler wrote:
>> Place them in the threshold.conf that is referenced from your snort.conf
>> 
>> J
>> 
>> On Nov 14, 2011, at 11:36 AM, Rick Chisholm wrote:
>> 
>>> Historically, I used threshold.conf - but apparently that is well
>>> deprecated now.  It's the suppress event_filter I think I am interested
>>> it
>>> - but where do I use these rules?
>>> 
>>> 
>>> On Mon, November 14, 2011 10:35 am, Joel Esler wrote:
>>>> On Nov 14, 2011, at 9:05 AM, Rick Chisholm wrote:
>>>> 
>>>>> Since upgrading to 2.9.1.x I find I'm getting much more verbose
>>>>> alerting
>>>>> than previously.  Of particular note is http_inspect and ssl_ssp -
>>>>> which
>>>>> I
>>>>> think are from certain preprocessors.  What can I do to mute these?
>>>> 
>>>> Event_filter.
>>>> 
>>>> Look into README.filters in the doc/ directory of the tarball.
>>>> 
>>>> --
>>>> Joel Esler
>>>> Senior Research Engineer, VRT
>>>> OpenSource Community Manager
>>>> Sourcefire
>>>> 
>>> 
>>> 
>>> --
>>> Rick Chisholm
>>> Systems Administrator
>>> Parallel42
>>> 
>> 
>> 
> 
> 
> -- 
> Rick Chisholm
> Systems Administrator
> Parallel42
> 





More information about the Snort-users mailing list