[Snort-users] Suppressing the SCAN UPnP service alerts
basantsubba at ...11827...
Wed Jun 25 07:21:53 EDT 2014
Thanks Joel that worked.
On Wed, Jun 25, 2014 at 4:46 PM, basant subba <basantsubba at ...11827...> wrote:
> Thank You Avery for that information, but the problem with this solution
> is that it only suppresses the threats with matching source and destination
> IP address. I still get this alerts where the source and destination
> addresses are MAC addresses instead of IP addresses. It would be helpful
> if someone could tell me which .rules files contains the signature for this
> alarm, so that I can disable it manually.
> On Wed, Jun 25, 2014 at 4:22 PM, Avery Rozar <
> Avery.Rozar at ...16118...> wrote:
>> Look at suppression in the threshold.conf file.
>> For example;
>> suppress gen_id 1, sig_id 1917
>> # or suppress by sig_id and src host
>> suppress gen_id 1, sig_id 1917, track by_src, ip x.x.x.x
>> From: basant subba <basantsubba at ...11827...<mailto:basantsubba at ...11827...>>
>> Date: Wednesday, June 25, 2014 at 2:14 AM
>> To: "snort-users at lists.sourceforge.net<mailto:
>> snort-users at lists.sourceforge.net>" <snort-users at lists.sourceforge.net
>> <mailto:snort-users at lists.sourceforge.net>>
>> Subject: [Snort-users] Suppressing the SCAN UPnP service alerts
>> When I run snort, I get a lot of "SCAN UPnP service discover attempt"
>> alerts with SID 1917? How do I suppress this alert? Which .rules file
>> contains the signature corresponding to this alarm? Also is it something I
>> should keep track of?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users