Snort mailing list archives
Re: Signature question...
From: Jeff Penn <jeff+dated+1075235701.a86d1c () jrpenn demon co uk>
Date: Thu, 22 Jan 2004 20:35:00 +0000
On Tue, Jan 20, 2004 at 08:35:05PM -0500, Jeff Kell wrote:
I am in the process of "tuning" our signatures to rule out false positives (e.g., FrontPage alerts on fully-patched machines). I do not want to disable the signature completely (although I do know how to do that), but merely "pass" on the check if it is one of our known patched servers.
I believe the suppress command defined in threshold.conf is what you are looking for: suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24 Jeff ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Signature question... Jeff Kell (Jan 20)
- Re: Signature question... Jeff Penn (Jan 27)