Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Suppression how-to help

From: "Bradberry, John" <BradberryJ () aafes com>
Date: Tue, 23 Dec 2003 12:39:37 -0600
Hello:

We're trying to completely suppress Vecna scan events generated by
spp_stream4 (GID 111, SID 11) from a particular net range.

The configuration we're using is:

# Supress Vecna scan false-alarms from Data Link Switch traffic:
suppress gen_id 111, sig_id 11, track by_src, ip 10.8.0.0/16;

The startup log:
SUPPRESS: gen_id=111, sig_id=11, tracking=0,  ip=10.8.0.0,
mask=255.255.0.0

However, the events keep getting logged!

Recommendations to correct this problem will be appreciated.

Thank you.

John Bradberry
The Greentree Group


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: