Snort event filter
HiTekRedNek last edited by
Snort 2.9.1 pkg v. 2.1.1 pfSense 2.0.1
I'm getting flooded by alerts when running updates on my Linux box.
ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management 1:2013504:2
I am trying to filter these event to only flag me once. When I read the manual and look at the examples under the suppress tab, I figured this command could work.
event_filter gen_id 1, sig_id 2013504, type limit, track by_src, count 1, seconds 120
I restarted the snort service but when I ran the update check from the Linux box and checked the alerts tab, I am still getting flooded by these warnings.
Is my command syntax correct?