[Snort-users] Event Suppression between specific Source and Destination
guh at ...15642...
Fri Dec 14 10:30:45 EST 2012
Thanks for your feedback. But unfortunately this doesn't work in my
Assume I have Host A and Host B and I want to suppress a signature if
and only if traffic goes from Host A to Host B.
If I create two suppress rules e.g.
Suppress if originating from A
Suppress if destination is B
Then the signature is also suppressed for any other destination than B
for a packet originating in A. And it is also suppressed for any other
source than A for a packet with destination B.
On 12/14/2012 04:20 PM, Joel Esler wrote:
> On Fri, Dec 14, 2012 at 11:04:23AM +0100, Guido Hungerbuehler wrote:
>> I am running snort with alert-before-log configuration (it is
>> necessary). How can I suppress a signature between two specific hosts?
>> With the 'Event Suppression' configuration it is only possible to select
>> either track by_src or track by_dst.
>> The next question is: Why is this even like this for 'Event Suppression'?
>> I already searched the mailing-list archive because I think this issue
>> has to be discussed earlier but I didn't find any information.
>> Thanks for your help.
> If you suppress it in one direction, then you won't see the alert. If you bi directional traffic that you want to suppress, you need to create two suppressions
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
More information about the Snort-users