Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort event filter

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      HiTekRedNek
      last edited by

      Snort 2.9.1 pkg v. 2.1.1  pfSense 2.0.1

      I'm getting flooded by alerts when running updates on my Linux box.

      Description
      ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management  1:2013504:2

      I am trying to filter these event to only flag me once. When I read the manual and look at the examples under the suppress tab, I figured this command could work.

      event_filter gen_id 1, sig_id 2013504, type limit, track by_src, count 1, seconds 120

      I restarted the snort service but when I ran the update check from the Linux box and checked the alerts tab, I am still getting flooded by these warnings.

      Is my command syntax correct?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.