Hi all,

Last week I put our Squid servers in our datacenter and everything is working great. So I'm starting to monitor the incoming traffic and encounter also the traffic from the second squid server. I have the two squid servers set up in a high availability setup using heartbeat. The packages sent by this process are detected and captured by Snort as
(listed like this in acidbase,
and in the alert log as
I don't want to disable ICMP entirely but am very new at this. How do I tell Snort to ignore this particular traffic since it's generating a lot of alerts? I'm reading up on Snort and such but would like to disable this specific one since it's eating up space at a very speedy rate.

Any help is greatly appreciated.

Kind regards,

Eric

there should be a file called threshold.conf in /etc/snort/ This is were signature can be suppressed either by signature ID, destination IP or source IP.

Edit that to say something like,

suppress gen_id #, sig_id #, track by_src, ip 192.168.253.11

The gen_id and sig_id # are usually in the signature or by clicking on the [snort] link on the acidbase.

Also check to make sure that the variables in snort.conf are set properly specifically the $HOME_NET and $EXTERNAL_NET

Hi shizzles,

Thank you very much for your reply. Just configured it and works like a charm.

Kind regards,

Eric