[Snort-users] Suppressing the SCAN UPnP service alerts

basant subba basantsubba at ...11827...
Wed Jun 25 07:21:53 EDT 2014


Thanks Joel that worked.


On Wed, Jun 25, 2014 at 4:46 PM, basant subba <basantsubba at ...11827...> wrote:

> Thank You Avery for that information, but the problem with this solution
> is that it only suppresses the threats with matching source and destination
> IP address. I still get this alerts where the source and destination
> addresses  are MAC addresses instead of IP addresses. It would be helpful
> if someone could tell me which .rules files contains the signature for this
> alarm, so that I can disable it manually.
>
>
> On Wed, Jun 25, 2014 at 4:22 PM, Avery Rozar <
> Avery.Rozar at ...16118...> wrote:
>
>> Look at suppression in the threshold.conf file.
>>
>> For example;
>>
>> suppress gen_id 1, sig_id 1917
>>
>> # or suppress by sig_id and src host
>> suppress gen_id 1, sig_id 1917, track by_src, ip x.x.x.x
>>
>> From: basant subba <basantsubba at ...11827...<mailto:basantsubba at ...11827...>>
>> Date: Wednesday, June 25, 2014 at 2:14 AM
>> To: "snort-users at lists.sourceforge.net<mailto:
>> snort-users at lists.sourceforge.net>" <snort-users at lists.sourceforge.net
>> <mailto:snort-users at lists.sourceforge.net>>
>> Subject: [Snort-users] Suppressing the SCAN UPnP service alerts
>>
>> When I run snort, I get  a lot of "SCAN UPnP service discover attempt"
>> alerts with SID 1917? How do I suppress this alert? Which .rules file
>> contains the signature corresponding to this alarm? Also is it something I
>> should keep track of?
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140625/b722ded2/attachment.html>


More information about the Snort-users mailing list