Snort mailing list archives
Preprocessors still alerting after suppress added in threshold.conf
From: Agus <agus.262 () gmail com>
Date: Mon, 10 Jun 2013 19:56:43 -0300
Hi guys, I am testing a new sensor and trying to suppress most noisy alerts. the suppress seems to be working ok cause when i finished reading the pcap with snort, I get +-----------------------[filtered events]-------------------------------------- | gen-id=1 sig-id=2014726 type=Limit tracking=src count=1 seconds=60 filtered=4 | gen-id=119 sig-id=19 type=Suppress tracking=none filtered=337 | gen-id=119 sig-id=31 type=Suppress tracking=none filtered=54 | gen-id=119 sig-id=32 type=Suppress tracking=none filtered=69 | gen-id=120 sig-id=3 type=Suppress tracking=none filtered=114 | gen-id=138 sig-id=5 type=Suppress tracking=none filtered=417 But then i go to the alert file and i see alerts on that preprocessors still... Anything I'm missing? Thanks!
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Preprocessors still alerting after suppress added in threshold.conf Agus (Jun 10)