[Snort-users] Suppressing the SCAN UPnP service alerts

Avery Rozar Avery.Rozar at ...16118...
Wed Jun 25 06:52:10 EDT 2014


Look at suppression in the threshold.conf file.

For example;

suppress gen_id 1, sig_id 1917

# or suppress by sig_id and src host
suppress gen_id 1, sig_id 1917, track by_src, ip x.x.x.x

From: basant subba <basantsubba at ...11827...<mailto:basantsubba at ...11827...>>
Date: Wednesday, June 25, 2014 at 2:14 AM
To: "snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>" <snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>>
Subject: [Snort-users] Suppressing the SCAN UPnP service alerts

When I run snort, I get  a lot of "SCAN UPnP service discover attempt" alerts with SID 1917? How do I suppress this alert? Which .rules file contains the signature corresponding to this alarm? Also is it something I should keep track of?




More information about the Snort-users mailing list