[Snort-users] Event supression question, and Whitelist question

Avery Rozar Avery.Rozar at ...16118...
Wed Jun 25 16:16:00 EDT 2014


Does event suppression stop alerting, and if inline stop dropping too? Or just alerting, but still drop?

I added the below entry into threshold.conf and I don’t get alerts anymore but the app in use that was fining this sig off (it uses wininet) is still not woking.

suppress gen_id 1, sig_id 21965, track by_src, ip x.x.x.x

Does adding a host to the white_list.rules stop preprocessor rules from being applied to this host too?




More information about the Snort-users mailing list