If you manage a snort box, you know how much time you spend tuning the thresholds and tweaking the rules. Here's a quick way to search your rules files for sid to suppress in your threshold.conf. This works on BSD, but Linux should be fairly close.
1. Search the all the rules files for a pattern:
for i in `ls /path/to/rules` ; do grep -i "Pattern to search" "$i" ; done
This should return the line in the rules file with the sid you need to suppress
2. Issue this command to add the suppression to your threshold.conf:
echo suppress gen_id 1, sid_id <SID> >> path/to/threshold.conf
Step 1 will grep through all the rules files in the folder for a match on the pattern. Step 2 will add the "suppress" line at the end of your threshold.conf. Remember to cycle snort initialize the changes.
Leave a comment