Re: [Snort-users] alert suppression

From: Pedro Marinho <pppmarinho_at_nospam>
Date: Thu May 07 2009 - 12:53:44 GMT
To: snort-users@lists.sourceforge.net

Hello Jefferson,

>Searching on the IP address in the tagged packet, like Greg suggested and
then sorting them >by timestamp shows that this alert and a couple of tagged packets all have the same src/dst >IP and port and timestamp in BASE.

>Now I know what they are, I don't want to get rid of them from showing up
in BASE. ;)

>Thanks,
>Shawn

I know a way to get rid of it on base; Log in at mysql use databasesnort;

First you have to figure it out what is the sig_id of this

select sig_id from signature where sig_name = 'tag: tagged packet';

this query will return a number like 435 for example then u do another query with the number from the previously query

delete from event where signature = 435; delete from acid_event where signature = 435;

ps: be carefull!! this will delete all alerts that have the signature msg "tag: tagged packet" from snort database

The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message: [ Message body ]
Next message: James Lay: "[Snort-users] Understanding Snort and mysql vs Barnyard and mysql"
Previous message: CunningPike: "Re: [Snort-users] alert suppression"
Maybe in reply to: Jefferson, Shawn: "[Snort-users] alert suppression"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]