[Snort-devel] Help with Suppression

Eugenio Pérez eupm90 at gmail.com
Sat Feb 23 06:13:10 EST 2019


Hi, Thanos!

I'm not sure if this will match what you are looking for, or the way you
want to achieve it, but I did a patch for adding the by src AND dst
suppression filters. Sadly, I do not maintain the original repository since
2016 (snort version 2.9.8.3), but I think that the patch should match
easily with last Snort 2.x, and maybe with Snort 3.x. I'm happy to update
the patch with the last Snort version.

https://github.com/eugpermar/snort/tree/feature/sIP_dIP_filters

If that is OK for you, please be sure to only use the
"feature/sIP_dIP_filters" branch, since the "master" branch does contain
other patches that you may not want to apply (they are described in README).

Hope that it works for you. Regards!

El sáb., 23 feb. 2019 a las 12:01, Thanos Constantopoulos via Snort-devel (<
snort-devel at lists.snort.org>) escribió:

> Hello All,
>
>
>
> I’m resending this because if you can clarify the below:
>
>
>
> What I’m trying to achieve is the below:
>
> Suppress specific signature (done)
>
> Suppress specific signature from a specific source IP (done)
>
> Suppress specific signature from a specific destination IP (done)
>
> Suppress specific signature from a specific IP address by_src and/or
> by_dst (is this possible?)
>
> Global suppress (0:0) a specific source IP (done)
>
> Global suppress (0:0) a specific destination IP (done)
>
> Global suppress (0:0) a specific IP address by_src and/or by_dst (is this
> possible?)
>
>
>
>
>
> You mentioned about multiple policies. How can I create multiple policies?
>
> Is there a way to place the suppression rules to a different file and
> include this to snort.lua?
>
>
>
>
>
> Thanks
>
>
>
>
> --------------------------------------------------------------------------------------------------------------------------
>
>
>
>
>
> Hello Russ
>
>
>
> Yes these are built in rules and i was trying to also add a global
>
> suppresion for all signatures. I tried to comment the signature from
>
> the builtin rules but that didn't work.
>
> Can you please explain a bit more about the multiple policies? How can
>
> i implement this?
>
>
>
> > Message: 1
>
> > Date: Fri, 8 Feb 2019 12:29:19 -0500
>
> > From: Russ <rucombs at cisco.com>
>
> > To: snort-devel at lists.snort.org
>
> > Subject: Re: [Snort-devel] Help with Suppression
>
> > Message-ID: <c9cc45b0-8f82-cc40-5b0d-7b877991619a at cisco.com>
>
> > Content-Type: text/plain; charset=utf-8; format=flowed
>
> >
>
> > Hey Thanos,
>
> >
>
> > You can only set one suppression per gid:sid pair so you can't at the
>
> > moment fully exclude a gid:sid by suppression.
>
> >
>
> > Are the alerts you are trying to suppress with 0:0 based on builtin
>
> > rules?? You may be able configure multiple policies differently to work
>
> > around some cases.
>
> >
>
> > Also, I'm curious about your suppression of 119:225 and 119:228. Can you
>
> > share any data on those like -A cmg output or maybe a pcap?
>
> >
>
> > Thanks
>
> > Russ
>
> >
>
> > On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
>
> > > Hello All,
>
> > >
>
> > > We are running Snort3.0.0-250 as IDS and we are trying to suppress
>
> > > several IP addresses from the logs (global suppression from all
>
> > > signatures). In order to perform this for specific IP addresses by
>
> > > source we add the below under snort.lua
>
> > >
>
> > > suppress =
>
> > >
>
> > > {
>
> > > { gid = 119, sid = 228 },
>
> > > { gid = 119, sid 225 },
>
> > > { gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =
> '192.168.10.10' },
>
> > > }
>
> > >
>
> > > My questions are:
>
> > >
>
> > > - Is there a way to use additional suppresion rules to cover by_src
>
> > > with the same gid and sid?
>
> > > - Is there a way to use additional suppresion rules to cover by_src
>
> > > and by_dst, to totally exluded a subnet or IP address?
>
> > > _______________________________________________
>
> > > Snort-devel mailing list
>
> > > Snort-devel at lists.snort.org
>
> > > https://lists.snort.org/mailman/listinfo/snort-devel
>
> > >
>
> > > Please visit http://blog.snort.org for the latest news about Snort!
>
> >
>
> >
>
> >
>
> > ------------------------------
>
> >
>
> > Message: 2
>
> > Date: Fri, 8 Feb 2019 17:28:12 +0000
>
> > From: Tim Townsend <Tim at SaifulBouquet.com>
>
> > To: "snort-devel at lists.snort.org" <snort-devel at lists.snort.org>
>
> > Subject: Re: [Snort-devel] Help with Suppression
>
> > Message-ID:
>
> >         <abdb6d7cf9d44774ad0e4d28ef410cef at Mail.SaifulBouquet.local>
>
> > Content-Type: text/plain; charset="utf-8"
>
> >
>
> > I have removed myself from this group several times through the website
> but I am still getting emails. Can someone please remove me?
>
> >
>
> > Thanks
>
> >
>
> > TIM TOWNSEND
>
> > IT Director
>
> >
>
> >
>
> > -----Original Message-----
>
> > From: Snort-devel [mailto:snort-devel-bounces at lists.snort.org] On
> Behalf Of Russ via Snort-devel
>
> > Sent: Friday, February 08, 2019 9:29 AM
>
> > To: snort-devel at lists.snort.org
>
> > Subject: Re: [Snort-devel] Help with Suppression
>
> >
>
> > Hey Thanos,
>
> >
>
> > You can only set one suppression per gid:sid pair so you can't at the
> moment fully exclude a gid:sid by suppression.
>
> >
>
> > Are the alerts you are trying to suppress with 0:0 based on builtin
> rules?? You may be able configure multiple policies differently to work
> around some cases.
>
> >
>
> > Also, I'm curious about your suppression of 119:225 and 119:228. Can you
> share any data on those like -A cmg output or maybe a pcap?
>
> >
>
> > Thanks
>
> > Russ
>
> >
>
> > On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
>
> > > Hello All,
>
> > >
>
> > > We are running Snort3.0.0-250 as IDS and we are trying to suppress
>
> > > several IP addresses from the logs (global suppression from all
>
> > > signatures). In order to perform this for specific IP addresses by
>
> > > source we add the below under snort.lua
>
> > >
>
> > > suppress =
>
> > >
>
> > > {
>
> > > { gid = 119, sid = 228 },
>
> > > { gid = 119, sid 225 },
>
> > > { gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =
>
> > > '192.168.10.10' }, }
>
> > >
>
> > > My questions are:
>
> > >
>
> > > - Is there a way to use additional suppresion rules to cover by_src
>
> > > with the same gid and sid?
>
> > > - Is there a way to use additional suppresion rules to cover by_src
>
> > > and by_dst, to totally exluded a subnet or IP address?
>
> > > _______________________________________________
>
> > > Snort-devel mailing list
>
> > > Snort-devel at lists.snort.org
>
> > > https://lists.snort.org/mailman/listinfo/snort-devel
>
> > >
>
> > > Please visit http://blog.snort.org for the latest news about Snort!
>
> >
>
> > _______________________________________________
>
> > Snort-devel mailing list
>
> > Snort-devel at lists.snort.org
>
> > https://lists.snort.org/mailman/listinfo/snort-devel
>
> >
>
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> >
>
> > ------------------------------
>
> >
>
> > Message: 3
>
> > Date: Fri, 8 Feb 2019 19:35:15 +0000 (UTC)
>
> > From: "lbelyeu71 at gmail.com" <lbelyeu71 at gmail.com>
>
> > To: "snort-devel at lists.snort.org" <snort-devel at lists.snort.org>,  Tim
>
> >         Townsend <Tim at SaifulBouquet.com>
>
> > Subject: Re: [Snort-devel] Help with Suppression
>
> > Message-ID: <204005713.560161.1549654515221 at mail.yahoo.com>
>
> > Content-Type: text/plain; charset="utf-8"
>
> >
>
> >  Please remove me as well. No longer in this Profession.
>
> >
>
> >     On Friday, February 8, 2019, 11:35:47 AM CST, Tim Townsend
> <Tim at SaifulBouquet.com> wrote:
>
> >
>
> >  I have removed myself from this group several times through the website
> but I am still getting emails. Can someone please remove me?
>
> >
>
> > Thanks
>
> >
>
> > TIM TOWNSEND
>
> > IT Director
>
> >
>
> >
>
> > -----Original Message-----
>
> > From: Snort-devel [mailto:snort-devel-bounces at lists.snort.org] On
> Behalf Of Russ via Snort-devel
>
> > Sent: Friday, February 08, 2019 9:29 AM
>
> > To: snort-devel at lists.snort.org
>
> > Subject: Re: [Snort-devel] Help with Suppression
>
> >
>
> > Hey Thanos,
>
> >
>
> > You can only set one suppression per gid:sid pair so you can't at the
> moment fully exclude a gid:sid by suppression.
>
> >
>
> > Are the alerts you are trying to suppress with 0:0 based on builtin
> rules?? You may be able configure multiple policies differently to work
> around some cases.
>
> >
>
> > Also, I'm curious about your suppression of 119:225 and 119:228. Can you
> share any data on those like -A cmg output or maybe a pcap?
>
> >
>
> > Thanks
>
> > Russ
>
> >
>
> > On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
>
> > > Hello All,
>
> > >
>
> > > We are running Snort3.0.0-250 as IDS and we are trying to suppress
>
> > > several IP addresses from the logs (global suppression from all
>
> > > signatures). In order to perform this for specific IP addresses by
>
> > > source we add the below under snort.lua
>
> > >
>
> > > suppress =
>
> > >
>
> > > {
>
> > > { gid = 119, sid = 228 },
>
> > > { gid = 119, sid 225 },
>
> > > { gid? = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =
>
> > > '192.168.10.10' }, }
>
> > >
>
> > > My questions are:
>
> > >
>
> > > - Is there a way to use additional suppresion rules to cover by_src
>
> > > with the same gid and sid?
>
> > > - Is there a way to use additional suppresion rules to cover by_src
>
> > > and by_dst, to totally exluded a subnet or IP address?
>
> > > _______________________________________________
>
> > > Snort-devel mailing list
>
> > > Snort-devel at lists.snort.org
>
> > > https://lists.snort.org/mailman/listinfo/snort-devel
>
> > >
>
> > > Please visit http://blog.snort.org for the latest news about Snort!
>
> >
>
> > _______________________________________________
>
> > Snort-devel mailing list
>
> > Snort-devel at lists.snort.org
>
> > https://lists.snort.org/mailman/listinfo/snort-devel
>
> >
>
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> > _______________________________________________
>
> > Snort-devel mailing list
>
> > Snort-devel at lists.snort.org
>
> > https://lists.snort.org/mailman/listinfo/snort-devel
>
> >
>
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> >
>
> > -------------- next part --------------
>
> > An HTML attachment was scrubbed...
>
> > URL: <
> https://lists.snort.org/pipermail/snort-devel/attachments/20190208/d8a011bc/attachment-0001.html
> >
>
> >
>
> > ------------------------------
>
> >
>
> > Message: 4
>
> > Date: Fri, 8 Feb 2019 17:04:08 -0500
>
> > From: Aaron Taylor <aaroncurtistaylor at gmail.com>
>
> > To: snort-devel at lists.snort.org
>
> > Subject: [Snort-devel] remove from list
>
> > Message-ID:
>
> >         <CABU9SvWQWX2VdRZ+CvEn2fg-J14VHd3xazC-oY=
> bFLxEy4_a4g at mail.gmail.com>
>
> > Content-Type: text/plain; charset="UTF-8"
>
> >
>
> > I have also unsubscribed but somehow still getting emails. Please
>
> > remove me from the list.
>
> >
>
> >
>
> > ------------------------------
>
> >
>
> > Message: 5
>
> > Date: Sat, 9 Feb 2019 15:25:50 +0800
>
> > From: Mel Griffiths <melsphonemail at gmail.com>
>
> > To: snort-devel at lists.snort.org
>
> > Subject: [Snort-devel] Fwd:  remove from list
>
> > Message-ID:
>
> >         <CA+0kOjcT5=Z+OtBMRQrn=
> gEusuVJ7zsibtKgvNfc03MGdou7VQ at mail.gmail.com>
>
> > Content-Type: text/plain; charset="utf-8"
>
> >
>
> > Could you please also remove me from this list?
>
> >
>
> > Thanks.
>
> >
>
> >
>
> > ---------- Forwarded message ---------
>
> > From: Aaron Taylor via Snort-devel <snort-devel at lists.snort.org>
>
> > Date: Sat, 9 Feb. 2019, 06:06
>
> > Subject: [Snort-devel] remove from list
>
> > To: <snort-devel at lists.snort.org>
>
> >
>
> >
>
> > I have also unsubscribed but somehow still getting emails. Please
>
> > remove me from the list.
>
> > _______________________________________________
>
> > Snort-devel mailing list
>
> > Snort-devel at lists.snort.org
>
> > https://lists.snort.org/mailman/listinfo/snort-devel
>
> >
>
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> > -------------- next part --------------
>
> > An HTML attachment was scrubbed...
>
> > URL: <
> https://lists.snort.org/pipermail/snort-devel/attachments/20190209/c7b5f81e/attachment.html
> >
>
> >
>
> > ------------------------------
>
> >
>
> > Subject: Digest Footer
>
> >
>
> > _______________________________________________
>
> > Snort-devel mailing list
>
> > Snort-devel at lists.snort.org
>
> > https://lists.snort.org/mailman/listinfo/snort-devel
>
> >
>
> >
>
> > ------------------------------
>
> >
>
> > End of Snort-devel Digest, Vol 20, Issue 2
>
> > ******************************************
>
>
>
>
>
> ------------------------------
>
>
>
> Message: 3
>
> Date: Mon, 11 Feb 2019 09:36:23 -0500
>
> From: Russ <rucombs at cisco.com>
>
> To: snort-devel at lists.snort.org
>
> Subject: Re: [Snort-devel] Snort-devel Digest, Vol 20, Issue 2
>
> Message-ID: <39c7db5c-2d8e-e871-f098-9ebad0064f20 at cisco.com>
>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
>
>
> Commenting out the rule will disable it completely.? Make sure you are
>
> not also setting ips.enable_builtin_rules = true.? That setting is just
>
> to enable the builtin rules w/o using the rule stubs.
>
>
>
> On 2/11/19 3:35 AM, Thanos Constantopoulos via Snort-devel wrote:
>
> > Hello Russ
>
> >
>
> > Yes these are built in rules and i was trying to also add a global
>
> > suppresion for all signatures. I tried to comment the signature from
>
> > the builtin rules but that didn't work.
>
> > Can you please explain a bit more about the multiple policies? How can
>
> > i implement this?
>
> >
>
> >
>
> > On Fri, Feb 8, 2019 at 11:30 PM <snort-devel-request at lists.snort.org>
> wrote:
>
> >> Send Snort-devel mailing list submissions to
>
> >>          snort-devel at lists.snort.org
>
> >>
>
> >> To subscribe or unsubscribe via the World Wide Web, visit
>
> >>          https://lists.snort.org/mailman/listinfo/snort-devel
>
> >> or, via email, send a message with subject or body 'help' to
>
> >>          snort-devel-request at lists.snort.org
>
> >>
>
> >> You can reach the person managing the list at
>
> >>          snort-devel-owner at lists.snort.org
>
> >>
>
> >> When replying, please edit your Subject line so it is more specific
>
> >> than "Re: Contents of Snort-devel digest..."
>
> >>
>
> >>
>
> >> Today's Topics:
>
> >>
>
> >>     1. Re: Help with Suppression (Russ)
>
> >>     2. Re: Help with Suppression (Tim Townsend)
>
> >>     3. Re: Help with Suppression (lbelyeu71 at gmail.com)
>
> >>     4. remove from list (Aaron Taylor)
>
> >>     5. Fwd:  remove from list (Mel Griffiths)
>
> >>
>
> >>
>
> >> ----------------------------------------------------------------------
>
> >>
>
> >> Message: 1
>
> >> Date: Fri, 8 Feb 2019 12:29:19 -0500
>
> >> From: Russ <rucombs at cisco.com>
>
> >> To: snort-devel at lists.snort.org
>
> >> Subject: Re: [Snort-devel] Help with Suppression
>
> >> Message-ID: <c9cc45b0-8f82-cc40-5b0d-7b877991619a at cisco.com>
>
> >> Content-Type: text/plain; charset=utf-8; format=flowed
>
> >>
>
> >> Hey Thanos,
>
> >>
>
> >> You can only set one suppression per gid:sid pair so you can't at the
>
> >> moment fully exclude a gid:sid by suppression.
>
> >>
>
> >> Are the alerts you are trying to suppress with 0:0 based on builtin
>
> >> rules?? You may be able configure multiple policies differently to work
>
> >> around some cases.
>
> >>
>
> >> Also, I'm curious about your suppression of 119:225 and 119:228. Can you
>
> >> share any data on those like -A cmg output or maybe a pcap?
>
> >>
>
> >> Thanks
>
> >> Russ
>
> >>
>
> >> On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
>
> >>> Hello All,
>
> >>>
>
> >>> We are running Snort3.0.0-250 as IDS and we are trying to suppress
>
> >>> several IP addresses from the logs (global suppression from all
>
> >>> signatures). In order to perform this for specific IP addresses by
>
> >>> source we add the below under snort.lua
>
> >>>
>
> >>> suppress =
>
> >>>
>
> >>> {
>
> >>> { gid = 119, sid = 228 },
>
> >>> { gid = 119, sid 225 },
>
> >>> { gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =
> '192.168.10.10' },
>
> >>> }
>
> >>>
>
> >>> My questions are:
>
> >>>
>
> >>> - Is there a way to use additional suppresion rules to cover by_src
>
> >>> with the same gid and sid?
>
> >>> - Is there a way to use additional suppresion rules to cover by_src
>
> >>> and by_dst, to totally exluded a subnet or IP address?
>
> >>> _______________________________________________
>
> >>> Snort-devel mailing list
>
> >>> Snort-devel at lists.snort.org
>
> >>> https://lists.snort.org/mailman/listinfo/snort-devel
>
> >>>
>
> >>> Please visit http://blog.snort.org for the latest news about Snort!
>
> >>
>
> >>
>
> >> ------------------------------
>
> >>
>
> >> Message: 2
>
> >> Date: Fri, 8 Feb 2019 17:28:12 +0000
>
> >> From: Tim Townsend <Tim at SaifulBouquet.com>
>
> >> To: "snort-devel at lists.snort.org" <snort-devel at lists.snort.org>
>
> >> Subject: Re: [Snort-devel] Help with Suppression
>
> >> Message-ID:
>
> >>          <abdb6d7cf9d44774ad0e4d28ef410cef at Mail.SaifulBouquet.local>
>
> >> Content-Type: text/plain; charset="utf-8"
>
> >>
>
> >> I have removed myself from this group several times through the website
> but I am still getting emails. Can someone please remove me?
>
> >>
>
> >> Thanks
>
> >>
>
> >> TIM TOWNSEND
>
> >> IT Director
>
> >>
>
> >>
>
> >> -----Original Message-----
>
> >> From: Snort-devel [mailto:snort-devel-bounces at lists.snort.org] On
> Behalf Of Russ via Snort-devel
>
> >> Sent: Friday, February 08, 2019 9:29 AM
>
> >> To: snort-devel at lists.snort.org
>
> >> Subject: Re: [Snort-devel] Help with Suppression
>
> >>
>
> >> Hey Thanos,
>
> >>
>
> >> You can only set one suppression per gid:sid pair so you can't at the
> moment fully exclude a gid:sid by suppression.
>
> >>
>
> >> Are the alerts you are trying to suppress with 0:0 based on builtin
> rules?? You may be able configure multiple policies differently to work
> around some cases.
>
> >>
>
> >> Also, I'm curious about your suppression of 119:225 and 119:228. Can
> you share any data on those like -A cmg output or maybe a pcap?
>
> >>
>
> >> Thanks
>
> >> Russ
>
> >>
>
> >> On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
>
> >>> Hello All,
>
> >>>
>
> >>> We are running Snort3.0.0-250 as IDS and we are trying to suppress
>
> >>> several IP addresses from the logs (global suppression from all
>
> >>> signatures). In order to perform this for specific IP addresses by
>
> >>> source we add the below under snort.lua
>
> >>>
>
> >>> suppress =
>
> >>>
>
> >>> {
>
> >>> { gid = 119, sid = 228 },
>
> >>> { gid = 119, sid 225 },
>
> >>> { gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =
>
> >>> '192.168.10.10' }, }
>
> >>>
>
> >>> My questions are:
>
> >>>
>
> >>> - Is there a way to use additional suppresion rules to cover by_src
>
> >>> with the same gid and sid?
>
> >>> - Is there a way to use additional suppresion rules to cover by_src
>
> >>> and by_dst, to totally exluded a subnet or IP address?
>
> >>> _______________________________________________
>
> >>> Snort-devel mailing list
>
> >>> Snort-devel at lists.snort.org
>
> >>> https://lists.snort.org/mailman/listinfo/snort-devel
>
> >>>
>
> >>> Please visit http://blog.snort.org for the latest news about Snort!
>
> >> _______________________________________________
>
> >> Snort-devel mailing list
>
> >> Snort-devel at lists.snort.org
>
> >> https://lists.snort.org/mailman/listinfo/snort-devel
>
> >>
>
> >> Please visit http://blog.snort.org for the latest news about Snort!
>
> >>
>
> >> ------------------------------
>
> >>
>
> >> Message: 3
>
> >> Date: Fri, 8 Feb 2019 19:35:15 +0000 (UTC)
>
> >> From: "lbelyeu71 at gmail.com" <lbelyeu71 at gmail.com>
>
> >> To: "snort-devel at lists.snort.org" <snort-devel at lists.snort.org>,  Tim
>
> >>          Townsend <Tim at SaifulBouquet.com>
>
> >> Subject: Re: [Snort-devel] Help with Suppression
>
> >> Message-ID: <204005713.560161.1549654515221 at mail.yahoo.com>
>
> >> Content-Type: text/plain; charset="utf-8"
>
> >>
>
> >>   Please remove me as well. No longer in this Profession.
>
> >>
>
> >>      On Friday, February 8, 2019, 11:35:47 AM CST, Tim Townsend
> <Tim at SaifulBouquet.com> wrote:
>
> >>
>
> >>   I have removed myself from this group several times through the
> website but I am still getting emails. Can someone please remove me?
>
> >>
>
> >> Thanks
>
> >>
>
> >> TIM TOWNSEND
>
> >> IT Director
>
> >>
>
> >>
>
> >> -----Original Message-----
>
> >> From: Snort-devel [mailto:snort-devel-bounces at lists.snort.org] On
> Behalf Of Russ via Snort-devel
>
> >> Sent: Friday, February 08, 2019 9:29 AM
>
> >> To: snort-devel at lists.snort.org
>
> >> Subject: Re: [Snort-devel] Help with Suppression
>
> >>
>
> >> Hey Thanos,
>
> >>
>
> >> You can only set one suppression per gid:sid pair so you can't at the
> moment fully exclude a gid:sid by suppression.
>
> >>
>
> >> Are the alerts you are trying to suppress with 0:0 based on builtin
> rules?? You may be able configure multiple policies differently to work
> around some cases.
>
> >>
>
> >> Also, I'm curious about your suppression of 119:225 and 119:228. Can
> you share any data on those like -A cmg output or maybe a pcap?
>
> >>
>
> >> Thanks
>
> >> Russ
>
> >>
>
> >> On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
>
> >>> Hello All,
>
> >>>
>
> >>> We are running Snort3.0.0-250 as IDS and we are trying to suppress
>
> >>> several IP addresses from the logs (global suppression from all
>
> >>> signatures). In order to perform this for specific IP addresses by
>
> >>> source we add the below under snort.lua
>
> >>>
>
> >>> suppress =
>
> >>>
>
> >>> {
>
> >>> { gid = 119, sid = 228 },
>
> >>> { gid = 119, sid 225 },
>
> >>> { gid? = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =
>
> >>> '192.168.10.10' }, }
>
> >>>
>
> >>> My questions are:
>
> >>>
>
> >>> - Is there a way to use additional suppresion rules to cover by_src
>
> >>> with the same gid and sid?
>
> >>> - Is there a way to use additional suppresion rules to cover by_src
>
> >>> and by_dst, to totally exluded a subnet or IP address?
>
> >>> _______________________________________________
>
> >>> Snort-devel mailing list
>
> >>> Snort-devel at lists.snort.org
>
> >>> https://lists.snort.org/mailman/listinfo/snort-devel
>
> >>>
>
> >>> Please visit http://blog.snort.org for the latest news about Snort!
>
> >> _______________________________________________
>
> >> Snort-devel mailing list
>
> >> Snort-devel at lists.snort.org
>
> >> https://lists.snort.org/mailman/listinfo/snort-devel
>
> >>
>
> >> Please visit http://blog.snort.org for the latest news about Snort!
>
> >> _______________________________________________
>
> >> Snort-devel mailing list
>
> >> Snort-devel at lists.snort.org
>
> >> https://lists.snort.org/mailman/listinfo/snort-devel
>
> >>
>
> >> Please visit http://blog.snort.org for the latest news about Snort!
>
> >>
>
> >> -------------- next part --------------
>
> >> An HTML attachment was scrubbed...
>
> >> URL: <
> https://lists.snort.org/pipermail/snort-devel/attachments/20190208/d8a011bc/attachment-0001.html
> >
>
> >>
>
> >> ------------------------------
>
> >>
>
> >> Message: 4
>
> >> Date: Fri, 8 Feb 2019 17:04:08 -0500
>
> >> From: Aaron Taylor <aaroncurtistaylor at gmail.com>
>
> >> To: snort-devel at lists.snort.org
>
> >> Subject: [Snort-devel] remove from list
>
> >> Message-ID:
>
> >>          <CABU9SvWQWX2VdRZ+CvEn2fg-J14VHd3xazC-oY=
> bFLxEy4_a4g at mail.gmail.com>
>
> >> Content-Type: text/plain; charset="UTF-8"
>
> >>
>
> >> I have also unsubscribed but somehow still getting emails. Please
>
> >> remove me from the list.
>
> >>
>
> >>
>
> >> ------------------------------
>
> >>
>
> >> Message: 5
>
> >> Date: Sat, 9 Feb 2019 15:25:50 +0800
>
> >> From: Mel Griffiths <melsphonemail at gmail.com>
>
> >> To: snort-devel at lists.snort.org
>
> >> Subject: [Snort-devel] Fwd:  remove from list
>
> >> Message-ID:
>
> >>          <CA+0kOjcT5=Z+OtBMRQrn=
> gEusuVJ7zsibtKgvNfc03MGdou7VQ at mail.gmail.com>
>
> >> Content-Type: text/plain; charset="utf-8"
>
> >>
>
> >> Could you please also remove me from this list?
>
> >>
>
> >> Thanks.
>
> >>
>
> >>
>
> >> ---------- Forwarded message ---------
>
> >> From: Aaron Taylor via Snort-devel <snort-devel at lists.snort.org>
>
> >> Date: Sat, 9 Feb. 2019, 06:06
>
> >> Subject: [Snort-devel] remove from list
>
> >> To: <snort-devel at lists.snort.org>
>
> >>
>
> >>
>
> >> I have also unsubscribed but somehow still getting emails. Please
>
> >> remove me from the list.
>
> >> _______________________________________________
>
> >> Snort-devel mailing list
>
> >> Snort-devel at lists.snort.org
>
> >> https://lists.snort.org/mailman/listinfo/snort-devel
>
> >>
>
> >> Please visit http://blog.snort.org for the latest news about Snort!
>
> >> -------------- next part --------------
>
> >> An HTML attachment was scrubbed...
>
> >> URL: <
> https://lists.snort.org/pipermail/snort-devel/attachments/20190209/c7b5f81e/attachment.html
> >
>
> >>
>
> >> ------------------------------
>
> >>
>
> >> Subject: Digest Footer
>
> >>
>
> >> _______________________________________________
>
> >> Snort-devel mailing list
>
> >> Snort-devel at lists.snort.org
>
> >> https://lists.snort.org/mailman/listinfo/snort-devel
>
> >>
>
> >>
>
> >> ------------------------------
>
> >>
>
> >> End of Snort-devel Digest, Vol 20, Issue 2
>
> >> ******************************************
>
> > _______________________________________________
>
> > Snort-devel mailing list
>
> > Snort-devel at lists.snort.org
>
> > https://lists.snort.org/mailman/listinfo/snort-devel
>
> >
>
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
>
>
>
> ------------------------------
>
>
>
> Subject: Digest Footer
>
>
>
> _______________________________________________
>
> Snort-devel mailing list
>
> Snort-devel at lists.snort.org
>
> https://lists.snort.org/mailman/listinfo/snort-devel
>
>
>
>
>
> ------------------------------
>
>
>
> End of Snort-devel Digest, Vol 20, Issue 3
>
> ******************************************
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190223/2a2f5369/attachment-0001.html>


More information about the Snort-devel mailing list