[Snort-users] Suppressing the SCAN UPnP service alerts

basant subba basantsubba at ...11827...
Wed Jun 25 07:16:50 EDT 2014


Thank You Avery for that information, but the problem with this solution is
that it only suppresses the threats with matching source and destination IP
address. I still get this alerts where the source and destination
addresses  are MAC addresses instead of IP addresses. It would be helpful
if someone could tell me which .rules files contains the signature for this
alarm, so that I can disable it manually.


On Wed, Jun 25, 2014 at 4:22 PM, Avery Rozar <Avery.Rozar at ...16118...>
wrote:

> Look at suppression in the threshold.conf file.
>
> For example;
>
> suppress gen_id 1, sig_id 1917
>
> # or suppress by sig_id and src host
> suppress gen_id 1, sig_id 1917, track by_src, ip x.x.x.x
>
> From: basant subba <basantsubba at ...11827...<mailto:basantsubba at ...11827...>>
> Date: Wednesday, June 25, 2014 at 2:14 AM
> To: "snort-users at lists.sourceforge.net<mailto:
> snort-users at lists.sourceforge.net>" <snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>>
> Subject: [Snort-users] Suppressing the SCAN UPnP service alerts
>
> When I run snort, I get  a lot of "SCAN UPnP service discover attempt"
> alerts with SID 1917? How do I suppress this alert? Which .rules file
> contains the signature corresponding to this alarm? Also is it something I
> should keep track of?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140625/5d0aa2a4/attachment.html>


More information about the Snort-users mailing list