Network Security: Detailed info on Re: [Snort-users] Alert Suppresion Fail

Subject:	Re: [Snort-users] Alert Suppresion Fail
Date:	Thu, 18 May 2006 18:47:59 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is no sid of 16. What alert are you trying to suppress? Are you trying to suppress "http_inspect: OVERSIZE CHUNK ENCODING"?

That would be gen_id 119, sig_id 16.

Check out your gen-msg.map and sid-msg.map in your etc/ directory in Snort.

Joel


On May 18, 2006, at 6:07 PM, kritikus Araklidas wrote:

Hi everyone:
I have installed the snort 2.4.4 and after some week monitoring my network i'm still working on threads suppresion, so, some of them work fine but, some of then doesn't work like the following:
GEN:SID  1:16
Message  Sorry, no such sid-gen (1:16)
I configure on threshold.conf file the supression rule like:
suppress gen_id 1, sig_id 16, track by_src, ip X.X.X.0/24
But the suppresion doesn't work, the same thing happend with the GEN:SID with no information on snort database.
Any idea is appreciated.
Regards.
Chris.
_________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp? cid=3963
------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --Joel
joel.esler@sourcefire.com
http://demo.sourcefire.com/jesler.pgp.key

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEbPmiKbCSyXHckt4RAnYIAKCdPVrSobsBOHQ/mh1iznxLcxIhmACggvxC
bNoOGfRO7UKz4EfNIyqRlUI=
=yWzA
-----END PGP SIGNATURE-----


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] data from multiple sessions in one alert/packet, Jon Hart Re: [Snort-users] data from multiple sessions in one alert/packet, nikns Re: [Snort-users] data from multiple sessions in one alert/packet, Jon Hart Re: [Snort-users] data from multiple sessions in one alert/packet, Joel Esler [Snort-users] Alert Suppresion Fail, kritikus Araklidas Re: [Snort-users] Alert Suppresion Fail, Joel Esler <= [Snort-users] Mail Notification Fail, kritikus Araklidas Re: [Snort-users] data from multiple sessions in one alert/packet, Jon Hart Re: [Snort-users] data from multiple sessions in one alert/packet, Joel Esler

Previous by Date:	Re: [Snort-users] data from multiple sessions in one alert/packet, Jon Hart
Next by Date:	Re: [Snort-users] data from multiple sessions in one alert/packet, Joel Esler
Previous by Thread:	[Snort-users] Alert Suppresion Fail, kritikus Araklidas
Next by Thread:	[Snort-users] Mail Notification Fail, kritikus Araklidas
Indexes:	[Date] [Thread] [Top] [All Lists]