Re: How to Ignore certain alerts

[Nigel Houghton <nhoughton () sourcefire com>]

On Mon, Sep 21, 2009 at 10:28 AM, Daniel Qian
<daniel.qian () supracanada com> wrote:
> Thanks for the Info Joel. I am a new user and was not aware that snort.org
> has been re-disigned.
>
> I have another question regarding the packages for new snort release and VRT
> rules -
> both of them have a snort.conf file but they are a little different. Which
> one should I use?
> I have been using the one that comes with the rules package but it wont work
> with snort release 2.8.5. It comlains something about loading duplicate
> 'detection'.
>
>
>
> ----- Original Message -----
> From: "Joel Esler" <jesler () sourcefire com>
> To: "Daniel Qian" <daniel.qian () supracanada com>
> Cc: "Brian Fagan" <bfagan () teleformix com>;
> <snort-users () lists sourceforge net>
> Sent: Monday, September 21, 2009 10:10 AM
> Subject: Re: [Snort-users] How to Ignore certain alerts
>
>
> The link isn't valid at this time, as that functionality has not been moved
> from the old snort.org to the current web design.
>
> The part you are interested in is the number
> in the URL.
>
> On Monday, September 21, 2009, Daniel Qian <daniel.qian () supracanada com>
> wrote:
> > Thanks for the reply Brian. The 'snort' reference
> > link takes me to the page saying 'The page you are looking for isn’t
> > here'. I
> > assume the link is produced by snort output and upgraded snort to the most
> > recent release 2.8.5 but the error is still there. Is this normal or a
> > real
> > error?
> >
> >
> >   ----- Original Message -----
> >   From:
> >   Brian
> >   Fagan <javascript:_e({}, 'cvml', 'bfagan () teleformix com');>
> >   To: Daniel Qian <javascript:_e({}, 'cvml',
> > 'daniel.qian () supracanada com');>
> >   Cc: snort-users () lists sourceforge net
> >   ; Joel
> >   Esler
> >   Sent: Monday, September 21, 2009 8:41
> >   AM
> >   Subject: Re: [Snort-users] How to Ignore
> >   certain alerts
> >
> >
> >   In
> >   BASE if you click on the snort link in the signature it will take you to
> > a
> >   Snort page that gives you an error, if you look at the end of the link
> > you
> >   will see something like 1:3254, the first number is the gen_id and the
> > seconed
> >   number is the sig_id.
> > ----- Original Message -----
> >
> >   From:
> >   "Daniel Qian" <daniel.qian () supracanada com>
> > To:
> >   "Joel Esler" <jesler () sourcefire com>
> > Cc: snort-users () lists sourceforge net
> > Sent:
> >   Saturday, September 19, 2009 9:02:55 PM GMT -06:00 US/Canada
> >   Central
> > Subject: Re: [Snort-users] How to Ignore certain
> >   alerts
> >
> >
> >
> >
> >   How do I get the value for gen_id, sig_id from the Base
> >   output to put in threshold.conf file?
> >
> >     -----
> >     Original Message -----
> >     From:
> >     Joel Esler
> >     To:
> >     Daniel Qian
> >
> >     Cc:
> >     snort-users () lists sourceforge net
> >     Sent:
> >     Saturday, September 19, 2009 8:34 PM
> >     Subject:
> >     Re: [Snort-users] How to Ignore certain alerts
> >
> > You should place the suppressions in the threshold.conf file.
> >     Make sure that the file is also uncommented in the snort.conf file.
> >     (It's at the very bottom of the stock file)
> >
> >
> >     J
> >
> >     On Sat, Sep 19, 2009 at 8:13 PM, Daniel Qian
> > <daniel.qian () supracanada com> wrote:
> >     Should
> >       I place the suppression rule in rules/local.rules file? In Base
> > interface,
> >       where can I find the sid of the alerts that get triggered?
> >
> > -----
> >       Original Message ----- From: "Joel Esler" <jesler () sourcefire com>
> > To: "Daniel Qian" <daniel.qian () supracanada com>
> > Cc: <snort-users () lists sourceforge net>
> > Sent: Friday,
> >       September 18, 2009 6:43 PM
> > Subject: Re: [Snort-users] How to Ignore
> >       certain alerts
> >
> >
> >
> >
> >
> >       Check
> >         out "suppression" in the
>
>
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


At the moment there are some subtle differences between the snort.conf
that comes with 2.8.5 and the one that is in the VRT rule set. The
main one being that the ssh preprocessor is now enabled in the snort
distribution where it is not in the VRT one.

You should use the snort.conf that comes with Snort 2.8.5 and modify
it to suit your needs.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users