Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Signature question...

From: Jeff Penn <jeff+dated+1075235701.a86d1c () jrpenn demon co uk>
Date: Thu, 22 Jan 2004 20:35:00 +0000
On Tue, Jan 20, 2004 at 08:35:05PM -0500, Jeff Kell wrote:

I am in the process of "tuning" our signatures to rule out false 
positives (e.g., FrontPage alerts on fully-patched machines).  I do not 
want to disable the signature completely (although I do know how to do 
that), but merely "pass" on the check if it is one of our known patched 
servers.


I believe the suppress command defined in threshold.conf is what you are
looking for:

suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24

Jeff


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: