On Tue, 2010-04-13 at 08:20 +0700, Indrajaya Pitra Perdana wrote: > Hello guys, can somebody help me? thanks > > Regards, Indrajaya Pitra Perdana > > On 4/12/2010 11:11 AM, Indrajaya Pitra Perdana wrote: > > Dear all, > > > > I try to add a suppress rule in the threshold.conf like this: > > > > suppress gen_id 122, sig_id 1, track by_dst, 10.10.10.0/24 > > > > But snort won't start with this kind of error: > > > > /usr/local/etc/snort/threshold.conf(4) => Suppress-Parse: argument > > pairing error > > > > Can somobody help me where exactly i'm doing wrong? thanks alot > > > > > > Note: i'm using Snort 2.8.4.1_5 pkg v. 1.6
hi indrajaya, imho, you should probably consider snort as experimental, as far as the pfsense release goes. i have also had very bad luck -- i decided to block offending hosts, and after accumulating several hundred, the router blocked wan access. i cleared, de-installed, and eventually had to reboot in order to let packets through. there is no persistance -- if the router is restarted, the blocked list is lost, if you upgrade the package, the configuration files are wiped out, so you need to reboot to restore original config. barnyard2 is not working either, so there's no way to achieve persistence on the rule violations. i would play with it on a non-production router only. cheers m --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
