Snort mailing list archives

Re: threshold.conf and suppress 119 19

From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 22 Jan 2011 10:50:30 -0500

On 1/22/2011 10:25, Michael Lubinski wrote:

Even though I have "suppress gen_id 119, sig_id 19" in my threshold.conf I still
see "(http_inspect) LONG HEADER" alerts in my alerts.

I verified the correct id with "grep -i "long" gen-msg.map" it shows; 119 || 19
|| http_inspect: LONG HEADER

Why is it still showing up in the alerts?


are these existing alerts or new alerts after you added the suppress to 
threshold.conf?

did you restart your snort after updating the threshold.conf?

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

threshold.conf and suppress 119 19 Michael Lubinski (Jan 22)
- Re: threshold.conf and suppress 119 19 waldo kitty (Jan 22)