[Snort-devel] Help with Suppression

Tim Townsend Tim at SaifulBouquet.com
Fri Feb 8 12:28:12 EST 2019


I have removed myself from this group several times through the website but I am still getting emails. Can someone please remove me?

Thanks

TIM TOWNSEND
IT Director


-----Original Message-----
From: Snort-devel [mailto:snort-devel-bounces at lists.snort.org] On Behalf Of Russ via Snort-devel
Sent: Friday, February 08, 2019 9:29 AM
To: snort-devel at lists.snort.org
Subject: Re: [Snort-devel] Help with Suppression

Hey Thanos,

You can only set one suppression per gid:sid pair so you can't at the moment fully exclude a gid:sid by suppression.

Are the alerts you are trying to suppress with 0:0 based on builtin rules?  You may be able configure multiple policies differently to work around some cases.

Also, I'm curious about your suppression of 119:225 and 119:228. Can you share any data on those like -A cmg output or maybe a pcap?

Thanks
Russ

On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
> Hello All,
>
> We are running Snort3.0.0-250 as IDS and we are trying to suppress 
> several IP addresses from the logs (global suppression from all 
> signatures). In order to perform this for specific IP addresses by 
> source we add the below under snort.lua
>
> suppress =
>
> {
> { gid = 119, sid = 228 },
> { gid = 119, sid 225 },
> { gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip = 
> '192.168.10.10' }, }
>
> My questions are:
>
> - Is there a way to use additional suppresion rules to cover by_src 
> with the same gid and sid?
> - Is there a way to use additional suppresion rules to cover by_src 
> and by_dst, to totally exluded a subnet or IP address?
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel at lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


More information about the Snort-devel mailing list