[Snort-users] Event Suppression between specific Source and Destination

Guido Hungerbuehler guh at ...15642...
Fri Dec 14 10:30:45 EST 2012


Hi Joel

Thanks for your feedback. But unfortunately this doesn't work in my 
opinion.

Assume I have Host A and Host B and I want to suppress a signature if 
and only if traffic goes from Host A to Host B.

If I create two suppress rules e.g.
Suppress if originating from A
and
Suppress if destination is B

Then the signature is also suppressed for any other destination than B 
for a packet originating in A. And it is also suppressed for any other 
source than A for a packet with destination B.



On 12/14/2012 04:20 PM, Joel Esler wrote:
> On Fri, Dec 14, 2012 at 11:04:23AM +0100, Guido Hungerbuehler wrote:
>> Hi
>>
>> I am running snort with alert-before-log configuration (it is
>> necessary). How can I suppress a signature between two specific hosts?
>>
>> With the 'Event Suppression' configuration it is only possible to select
>> either track by_src or track by_dst.
>>
>> The next question is: Why is this even like this for 'Event Suppression'?
>>
>> I already searched the mailing-list archive because I think this issue
>> has to be discussed earlier but I didn't find any information.
>>
>>
>> Thanks for your help.
>
>
> If you suppress it in one direction, then you won't see the alert.  If you bi directional traffic that you want to suppress, you need to create two suppressions
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>




More information about the Snort-users mailing list