Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] rules vs. suppress

from [Jeremy Hewlett] Network Security [Permanent Link]
Subject: Re: [Snort-users] rules vs. suppress
Date: Wed, 30 Mar 2005 16:48:11 -0500 
Sorry for the delayed response. [insert standard excuse here] ;)

On Thu, Mar 24, Lee Clemens wrote:

That all makes sense, but a serious caveat...what suppress statement
wouldn't cause the rule to be pointless? (alert any any <> 10/8 any)


After having a better look at what you're trying to do, Marc Norton
and I both agree.  Making a broad suppression generalization does
nullify your rule statement - you do shutdown quite a bit of alerting
this way. Suppression is too specific for what you want.


Am I overlooking a simple solution for this? 


Your original 21 rules were better for what you're trying to do.  I'd
be happy to poke at your config with you. Send it to me off list if
you want.


-------------------------------------------------------
This SF.net email is sponsored by Demarc:
A global provider of Threat Management Solutions.
Download our HomeAdmin security software for free today!
http://www.demarc.com/info/Sentarus/hamr30
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] why old libnet?, Jeff Nathan
Next by Date:  [Snort-users] My First Snort Oracle Instance, Santford Robert Marcum
Previous by Thread:  RE: [Snort-users] rules vs. suppress, Lee Clemens
Next by Thread:  Re: RE: [Snort-users] rules vs. suppress, Salil D.
Indexes:  [Date] [Thread] [Top] [All Lists]