suppressing alert...

[waldo kitty <wkitty42 () windstream net>]

if you have more than one IP that you want to suppress an alert for, is it 
better to use multiple lines or list all the addresses (and CIDRs) on one line?

example 1:
suppress gen_id 1, sig_id 1, track by_src, ip 1.1.1.1
suppress gen_id 1, sig_id 1, track by_src, ip 2.2.2.2


example 2:
suppress gen_id 1, sig_id 1, track by_src, ip [1.1.1.1,2.2.2.2]


i'm undecided and tend to lean more toward example 1 mainly due to the 
manageability aspects... consider a large list of IPs and trying to locate and 
remove just one...


in using the example 1 format, i note that snort 2.8.6.1 shows two suppression 
lines exactly the same but displays "<list>" for the IPs instead of listing the 
actual IPs and/or CIDRs given...

[quote]
Sep 17 14:02:50 perseus snort[14304]: 
+-----------------------[suppression]------------------------------------------
Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1 
tracking=src-ip=<list>
Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1 
tracking=src-ip=<list>
Sep 17 14:02:50 perseus snort[14304]: 
-------------------------------------------------------------------------------
[/quote]

using the example 2 format gets one line but still displays "<list>" instead of 
the actual IPs and/or CIDRs...

BUG??


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users