snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] alert suppression

Re: [Snort-users] alert suppression

From: Pedro Marinho <pppmarinho_at_nospam>
Date: Thu May 07 2009 - 12:53:44 GMT
To: snort-users@lists.sourceforge.net


Hello Jefferson,

>Searching on the IP address in the tagged packet, like Greg suggested and
then sorting them >by timestamp shows that this alert and a couple of tagged packets all have the same src/dst >IP and port and timestamp in BASE.

>Now I know what they are, I don't want to get rid of them from showing up
in BASE. ;)

>Thanks,
>Shawn

I know a way to get rid of it on base; Log in at mysql use databasesnort;

First you have to figure it out what is the sig_id of this

select sig_id from signature where sig_name = 'tag: tagged packet';

this query will return a number like 435 for example then u do another query with the number from the previously query

delete from event where signature = 435; delete from acid_event where signature = 435;

ps: be carefull!! this will delete all alerts that have the signature msg "tag: tagged packet" from snort database



The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com



Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users