Snort event filter



  • Snort 2.9.1 pkg v. 2.1.1  pfSense 2.0.1

    I'm getting flooded by alerts when running updates on my Linux box.

    Description
    ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management  1:2013504:2

    I am trying to filter these event to only flag me once. When I read the manual and look at the examples under the suppress tab, I figured this command could work.

    event_filter gen_id 1, sig_id 2013504, type limit, track by_src, count 1, seconds 120
    

    I restarted the snort service but when I ran the update check from the Linux box and checked the alerts tab, I am still getting flooded by these warnings.

    Is my command syntax correct?


Log in to reply