3. Snort event filter

Snort event filter

  • H

    Snort 2.9.1 pkg v. 2.1.1  pfSense 2.0.1

    I'm getting flooded by alerts when running updates on my Linux box.

    Description
    ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management  1:2013504:2

    I am trying to filter these event to only flag me once. When I read the manual and look at the examples under the suppress tab, I figured this command could work.

    event_filter gen_id 1, sig_id 2013504, type limit, track by_src, count 1, seconds 120

    I restarted the snort service but when I ran the update check from the Linux box and checked the alerts tab, I am still getting flooded by these warnings.

    Is my command syntax correct?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy