snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: [Snort-users] alert suppression

[Snort-users] alert suppression

From: Jefferson, Shawn <Shawn.Jefferson_at_nospam>
Date: Tue May 05 2009 - 22:25:38 GMT
To: "snort-users@lists.sourceforge.net" <snort-users@lists.sourceforge.net>


Hi,

I want to suppress some alerts I've been getting, specifically the tag: tagged packet. I've tried putting "suppress gen_id 2, sig_id 1" in the threshold.conf file, but this doesn't seem to be working. Is there a better way to suppress this alert? Especially if there is a method that is better performance-wise. I've looked around in the documentation and didn't see anything specific to the tag: tagged packet alert.

Also, the new dcerpc2 preprocesser is pretty noisy in my environment, creating quite a few alerts each day. Can anyone share any tuning advice for this?

Thanks,
Shawn



The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com



Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users