Home page logo

snort logo Snort mailing list archives

Preprocessors still alerting after suppress added in threshold.conf
From: Agus <agus.262 () gmail com>
Date: Mon, 10 Jun 2013 19:56:43 -0300

Hi guys,

I am testing a new sensor and trying to suppress most noisy alerts.

the suppress seems to be working ok cause when i finished reading the pcap
with snort, I get

| gen-id=1      sig-id=2014726    type=Limit     tracking=src count=1
seconds=60  filtered=4
| gen-id=119    sig-id=19         type=Suppress  tracking=none filtered=337
| gen-id=119    sig-id=31         type=Suppress  tracking=none filtered=54
| gen-id=119    sig-id=32         type=Suppress  tracking=none filtered=69
| gen-id=120    sig-id=3          type=Suppress  tracking=none filtered=114
| gen-id=138    sig-id=5          type=Suppress  tracking=none filtered=417

But then i go to the alert file and i see alerts on that preprocessors

Anything I'm missing?

This SF.net email is sponsored by Windows:

Build for Windows Store.

Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
  • Preprocessors still alerting after suppress added in threshold.conf Agus (Jun 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]