Top Menu
Menu

[Snort-sigs] (snort decoder) Bad Traffic Same Src/Dst IP {trying to supress alerts from certain IP’s}

0 Comments

Question

I’m trying to suppress alerts from 2 machines where this traffic is normal. When using base to identify the SID it says the SID is 151 but when I search snort.org I can not find THIS rule. I have searched high and low to find references to this specific instance of the rule (I have already suppressed SID 527).

I have run grep in my rules directory to find the rule that is creating this alert to no avail. the forum has no entries on this nor can I find anything in the archives. Where is this alert being generated from?

Any help is greatly appreciated

Answer

This alert is being generated from the snort_decoder itself. See the config directives for instructions on how to shut these off (Snort manual, page 16/17ish..)