RE: [Snort-users] Is this right one?

suppress gen_id 119, sig_id 4 works for me.

I don't run portscan, so I've not tried suppress on those alerts.

Bruce


-----Original Message-----
From: Peter Rodger [mailto:prodger2008@yahoo.com]=20
Sent: Tuesday, October 25, 2005 12:07 PM
To: Briggs, Bruce; Eric Maheo; s
Subject: RE: [Snort-users] Is this right one?

Hi,

Thanks for your help and it works (only monitoring
exchange servers' traffic) .

I still could not figure out why this one does not
work as posted before:
snort] (portscan) Open Port unclassified
[snort] (portscan) UDP Portsweep unclassified
[snort] (http_inspect) BARE BYTE UNICODE ENCODING

I have attempted to suppress these alerts in my
snort.conf file like the following:
suppress gen_id 122, sig_id 27
suppress gen_id 122, sig_id 19
suppress gen_id 119, sig_id 4

Could it be too much traffic that overkill the snort
box and can not process suppress as indicated above??=20
Currently, the snort box is palced inside firewall and
I span the PIX port to the snort monitoring port. =20

Please give me some suggestions and hints. Should I
buy taps?

Thanks as always,

Peter


--- "Briggs, Bruce" <Bruce.Briggs@suny.edu> wrote:

> The format should be:
> suppress gen_id 1, sig_id 1070
>=20
> Make sure that you have an uncommented include on
> snort.conf for
> threshold.conf.
>=20
> Also you could comment out sid_id 1070 in
> web-misc.rules
>=20
> Many use oinkmaster to automatically update new
> Snort sigs and keep mods
> to their Snort rules.
>=20
> Bruce
>=20
> -----Original Message-----
> From: snort-users-admin@lists.sourceforge.net
> [mailto:snort-users-admin@lists.sourceforge.net] On
> Behalf Of Peter
> Rodger
> Sent: Tuesday, October 25, 2005 10:35 AM
> To: s
> Subject: [Snort-users] Is this right one?
>=20
> Hi all,
> I try to suppress this one event . =20
> WEB-MISC WebDAV search access
> I added suppress sid_id 1070 in the threshold.conf.
> Is this right?
>=20
> Thanks,
>=20
> Peter
>=20
>=20
>=20
> =09
> __________________________________=20
> Yahoo! FareChase: Search multiple travel sites in
> one click.
> http://farechase.yahoo.com
>=20
>=20
>
-------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training
> Course
> Free Certification Exam for All Training Attendees
> Through End of 2005
> Visit http://www.jboss.com/services/certification
> for more information
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.p...=3Dsnort-users
>=20




=09
=09
__________________________________=20
Yahoo! Mail - PC Magazine Editors' Choice 2005=20
http://mail.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users