Snort mailing list archives
Re: Preprocessing rule blocking
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 24 May 2013 11:01:44 -0400
On 5/24/2013 09:00, SnortFan wrote:
I decided to try to suppress using: Suppress gen_id 137, sig_id 1
that looks correct... i don't think case matters but all of my threshold.conf entries are lowercase...
But suppression doesn't seem to work, after restarting snort the alerts still get through.
gotta ask... you are looking at new entries after making the threshold.conf change and restarting your snort, correct?
If I try at the snort.conf by commenting out the preprocessor wouldn't I be suppressing all SSL alerts?
yes, that's why i pointed you to the preprocessor.rules stub file in /path/to/your/preproc_rules directory ;)
Thanks, Sent from a mobile device. On May 23, 2013, at 8:00 PM, waldo kitty<wkitty42 () windstream net> wrote:On 5/23/2013 15:15, SnortFan wrote:Hi All, If I want to limit or block all reporting on Snort Alert [137:1:0] Would this work to limit it to one for every minute via the threshold.conf. Is there an easy way to block it all together? event_filter \ gen_id 137, sig_id 1, \ type limit, track by_src, \ count 1, seconds 60yes, that will limit is to one alert every minute... to disable it completely, you might comment the rule out in your preproc_rules/preprocessor.rules file if you are using that... i /think/ that's where the stub is located...
-- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Preprocessing rule blocking SnortFan (May 23)
- Re: Preprocessing rule blocking waldo kitty (May 23)
- Re: Preprocessing rule blocking SnortFan (May 24)
- Re: Preprocessing rule blocking SnortFan (May 24)
- Re: Preprocessing rule blocking SnortFan (May 24)
- Re: Preprocessing rule blocking waldo kitty (May 24)
- Re: Preprocessing rule blocking SnortFan (May 24)
- Re: Preprocessing rule blocking waldo kitty (May 23)