[Snort-users] suppressing alert...

waldo kitty wkitty42 at ...14940...
Fri Sep 17 14:39:42 EDT 2010


if you have more than one IP that you want to suppress an alert for, is it 
better to use multiple lines or list all the addresses (and CIDRs) on one line?

example 1:
suppress gen_id 1, sig_id 1, track by_src, ip 1.1.1.1
suppress gen_id 1, sig_id 1, track by_src, ip 2.2.2.2


example 2:
suppress gen_id 1, sig_id 1, track by_src, ip [1.1.1.1,2.2.2.2]


i'm undecided and tend to lean more toward example 1 mainly due to the 
manageability aspects... consider a large list of IPs and trying to locate and 
remove just one...


in using the example 1 format, i note that snort 2.8.6.1 shows two suppression 
lines exactly the same but displays "<list>" for the IPs instead of listing the 
actual IPs and/or CIDRs given...

[quote]
Sep 17 14:02:50 perseus snort[14304]: 
+-----------------------[suppression]------------------------------------------
Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1 
tracking=src-ip=<list>
Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1 
tracking=src-ip=<list>
Sep 17 14:02:50 perseus snort[14304]: 
-------------------------------------------------------------------------------
[/quote]

using the example 2 format gets one line but still displays "<list>" instead of 
the actual IPs and/or CIDRs...

BUG??





More information about the Snort-users mailing list