[Snort-devel] Help with Suppression

Thanos Constantopoulos thanoscon at gmail.com
Fri Feb 8 05:04:13 EST 2019


Hello All,

We are running Snort3.0.0-250 as IDS and we are trying to suppress
several IP addresses from the logs (global suppression from all
signatures). In order to perform this for specific IP addresses by
source we add the below under snort.lua

suppress =

{
{ gid = 119, sid = 228 },
{ gid = 119, sid 225 },
{ gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip = '192.168.10.10' },
}

My questions are:

- Is there a way to use additional suppresion rules to cover by_src
with the same gid and sid?
- Is there a way to use additional suppresion rules to cover by_src
and by_dst, to totally exluded a subnet or IP address?


More information about the Snort-devel mailing list