Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Suppress alerts

From: Peter Rodger <prodger2008 () yahoo com>
Date: Mon, 17 Oct 2005 11:35:26 -0700 (PDT)
Joel,

Thanks for the info and help.  The threshold.conf file
is in /snort/etc directory following the instruction
in snort.conf file. (the file in the /etc and /rules
folder) Even I change threshold.conf in the \rules
directory, the result is still same.

Please see the attached snort.conf and threshold.conf
files in the \snort\etc folder.

I did change threshold.conf in both /etc and /rules
folders and include d:\win-ds\snort\etc\threshold.conf
in the snort.conf file.
Still can not surppess these alerts?

Let me know what's wrong with my config?  I can not
fighure out why?  

Thanks again,

Peter



--- Joel Esler <joel.esler () sourcefire com> wrote:


The threshold.conf is probably in your /rules
directory.  (The  
directory is located in your snort.conf  Search your
snort.conf for  
"threshold.conf" and you'll see the include
statement.

The Generator ID and SID are located in gid-msg.map
and sid-msg.map.   
Probably in your rules directory.

Joel Esler
SOURCEfire


On Oct 17, 2005, at 1:06 PM, Peter Rodger wrote:


Bruce,

Thanks!  I am running Snort on windows too.   I'm
using IIS6, MSSQL, PHP, and BASE on windows2003.
BTW, I just found out that the threshold.conf file

is

in two plases: one is in \snort\etc folder;

another is

in \snort\rules folder.  Which one should I

change?

I changed the one in \snort\etc folder.

How do you get genenator ID or SID?

Thanks again,

Peter
--- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:



Yes I did see your Friday e-mail.

I am running Snort on Windows and do not have

your

problem.

Also you do not need to reboot your Snort machine
when making a config
change - just stop & restart Snort.

What Snort version?
What other support tools are you using - such as

web

server & logging
database & alert viewer?
I'm using Apache, MySQL, PHP, and BASE.

Bruce


-----Original Message-----
From: Peter Rodger [mailto:prodger2008 () yahoo com]
Sent: Monday, October 17, 2005 11:52 AM
To: Briggs, Bruce
Subject: Fwd: RE: [Snort-users] Suppress alerts

Bruce,

Did you check this message I sent you last

Friday?


The snort.conf is the right file I changed.

What could go wrong with it?

Thanks so much,

Peter
Note: forwarded message attached.





__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com








__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com






-------------------------------------------------------

This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content,

downloads,  

discussions,
and more.

http://solutions.newsforge.com/ibmarch.tmpl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or

unsubscribe:





https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:




http://www.geocrawler.com/redir-sf.php3?list=snort-users









-------------------------------------------------------

This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content,
downloads, discussions,
and more.
http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users






        
                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

Attachment: snort.conf
Description: 2440593508-snort.conf

Attachment: threshold.conf
Description: 1965301261-threshold.conf

Previous By Date Next
Previous By Thread Next

Current thread: