[Snort-users] suppressing alert...

waldo kitty wkitty42 at ...14940...
Wed Sep 22 12:07:44 EDT 2010


no one has any comment on this??


On 9/17/2010 14:39, waldo kitty wrote:
>
> if you have more than one IP that you want to suppress an alert for, is it
> better to use multiple lines or list all the addresses (and CIDRs) on one line?
>
> example 1:
> suppress gen_id 1, sig_id 1, track by_src, ip 1.1.1.1
> suppress gen_id 1, sig_id 1, track by_src, ip 2.2.2.2
>
>
> example 2:
> suppress gen_id 1, sig_id 1, track by_src, ip [1.1.1.1,2.2.2.2]
>
>
> i'm undecided and tend to lean more toward example 1 mainly due to the
> manageability aspects... consider a large list of IPs and trying to locate and
> remove just one...
>
>
> in using the example 1 format, i note that snort 2.8.6.1 shows two suppression
> lines exactly the same but displays "<list>" for the IPs instead of listing the
> actual IPs and/or CIDRs given...
>
> [quote]
> Sep 17 14:02:50 perseus snort[14304]:
> +-----------------------[suppression]------------------------------------------
> Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
> tracking=src-ip=<list>
> Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
> tracking=src-ip=<list>
> Sep 17 14:02:50 perseus snort[14304]:
> -------------------------------------------------------------------------------
> [/quote]
>
> using the example 2 format gets one line but still displays "<list>" instead of
> the actual IPs and/or CIDRs...
>
> BUG??





More information about the Snort-users mailing list