Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: Re: Suppress alerts

From: João Mota <joao () 3gnt net>
Date: Wed, 19 Oct 2005 10:16:02 +0100
Peter Rodger wrote:


Thanks for your reply.  The attached is the output
after I ran snort -c snort.conf.

Please let me know anything wrong with that.
Well... the thresholding info isn't there. I've noticed that this part of the output is sent to stderr instead of stdout. Don't know how you can redirect this on windows. Anyway, even if you don't have any thresholding configured you should get something like: 

Running in IDS mode

Initializing Network Interface eth0

       --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
2 Snort rules read...
2 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
+------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->alert->pass->log
Log directory = /var/log/snort

       --== Initialization Complete ==--
Instead of having to check the logs for the supression you can verify your configuration on the [suppresion] part. If it displays like this example (none) it means that the other repliers were right and probably your not pointing to the right threshold.conf file. If there is some thresholding info (besides 'none') you should post it here along with (I know you've already posted several times) the desired behaviour. 

Good luck ;)




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: