[Snort-users] suppressing all signatures from a particular generator

Victor Roemer vroemer at ...1935...
Fri Aug 24 10:30:08 EDT 2012


Could you provide your entire threshold configuration?

Thanks


On Fri, Aug 24, 2012 at 6:50 AM, James Davis <james.davis at ...15783...> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Running 2.9.3.1
>
> I'd like to suppress a lot of alerts created by some generators, in
> particular although I want the functionality of the http_inspect
> preprocessor I'm not interested in the alerts it raises.
>
> In my threshold.conf I have:
>
> suppress gen_id 120, sig_id 1
> suppress gen_id 120, sig_id 2
> suppress gen_id 120, sig_id ...
>
> but if I replace this with
>
> suppress gen_id 120, sig_id 0
>
> as documented at http://manual.snort.org/node19.html snort refuses to
> start with the following error
>
> "ERROR: threshold.conf(74) suppress could not be created"
>
> Has this feature been removed?
>
> James
>
> - --
> James Davis                0300 999 2340 (+44 1235 822340)
> Senior CSIRT Member
> Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iF4EAREIAAYFAlA3XGQACgkQjsS2Y6D6yLxuhwD+Ocokjkbn2m8VoUt161wKvqcu
> UVmwK37S03DScmDyQ0YA/2Gvr94A5YLIYuYP3F/oj2AohjPQI+5re1D8OUDcMxtL
> =nMjI
> -----END PGP SIGNATURE-----
>
> Janet is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120824/17634d29/attachment.html>


More information about the Snort-users mailing list