Can you post the snort alert that you are trying to suppress? Just off hand it looks like ur statement is missing `ip` :
suppress gen_id 122, sig_id 1, track by_dst, ip 10.10.10.0/24 Also the threshold.conf file should likely be the one tied to the snort instance and interface, mine is located here: /usr/local/etc/snort/snort_25801_fxp0/threshold.conf Hope this helps. Chris On Mon, Apr 12, 2010 at 12:11 AM, Indrajaya Pitra Perdana <viet...@indo.net.id> wrote: > Dear all, > > I try to add a suppress rule in the threshold.conf like this: > > suppress gen_id 122, sig_id 1, track by_dst, 10.10.10.0/24 > > But snort won't start with this kind of error: > > /usr/local/etc/snort/threshold.conf(4) => Suppress-Parse: argument pairing > error > > Can somobody help me where exactly i'm doing wrong? thanks alot > > > Note: i'm using Snort 2.8.4.1_5 pkg v. 1.6 > > -- > Regards, > Indrajaya Pitra Perdana > > --------------------------------------------------------------------- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
