[Snort-devel] Help with Suppression

Russ rucombs at cisco.com
Fri Feb 8 12:29:19 EST 2019


Hey Thanos,

You can only set one suppression per gid:sid pair so you can't at the 
moment fully exclude a gid:sid by suppression.

Are the alerts you are trying to suppress with 0:0 based on builtin 
rules?  You may be able configure multiple policies differently to work 
around some cases.

Also, I'm curious about your suppression of 119:225 and 119:228. Can you 
share any data on those like -A cmg output or maybe a pcap?

Thanks
Russ

On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
> Hello All,
>
> We are running Snort3.0.0-250 as IDS and we are trying to suppress
> several IP addresses from the logs (global suppression from all
> signatures). In order to perform this for specific IP addresses by
> source we add the below under snort.lua
>
> suppress =
>
> {
> { gid = 119, sid = 228 },
> { gid = 119, sid 225 },
> { gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip = '192.168.10.10' },
> }
>
> My questions are:
>
> - Is there a way to use additional suppresion rules to cover by_src
> with the same gid and sid?
> - Is there a way to use additional suppresion rules to cover by_src
> and by_dst, to totally exluded a subnet or IP address?
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!



More information about the Snort-devel mailing list