[Snort-users] Preprocessors still alerting after suppress added in threshold.conf

Agus agus.262 at ...11827...
Mon Jun 10 18:56:43 EDT 2013


Hi guys,

I am testing a new sensor and trying to suppress most noisy alerts.

the suppress seems to be working ok cause when i finished reading the pcap
with snort, I get

+-----------------------[filtered
events]--------------------------------------
| gen-id=1      sig-id=2014726    type=Limit     tracking=src count=1
seconds=60  filtered=4
| gen-id=119    sig-id=19         type=Suppress  tracking=none filtered=337
| gen-id=119    sig-id=31         type=Suppress  tracking=none filtered=54
| gen-id=119    sig-id=32         type=Suppress  tracking=none filtered=69
| gen-id=120    sig-id=3          type=Suppress  tracking=none filtered=114
| gen-id=138    sig-id=5          type=Suppress  tracking=none filtered=417


But then i go to the alert file and i see alerts on that preprocessors
still...

Anything I'm missing?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130610/04fb241f/attachment.html>


More information about the Snort-users mailing list