Re: [Snort-users] Signature question...
This is a discussion on Re: [Snort-users] Signature question... within the Snort forums, part of the System Security and Security Related category; On Tue, Jan 20, 2004 at 08:35:05PM -0500, Jeff Kell wrote: > I am in the process of &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-28-2004
|
|||
|
|||
Re: [Snort-users] Signature question...
On Tue, Jan 20, 2004 at 08:35:05PM -0500, Jeff Kell wrote:
> I am in the process of "tuning" our signatures to rule out false > positives (e.g., FrontPage alerts on fully-patched machines). I do not > want to disable the signature completely (although I do know how to do > that), but merely "pass" on the check if it is one of our known patched > servers. I believe the suppress command defined in threshold.conf is what you are looking for: suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24 Jeff ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
