[Snort-users] Event Suppression

Avery Rozar Avery.Rozar at ...16118...
Tue Jun 24 17:25:33 EDT 2014

I’d like for alerts (and drops) to not fire for 21965 when they are coming from an IP. I added the below entry into threshold.conf and I don’t get alerts anymore but the app (it uses wininet) is still not woking. Does suppression only filter the alert, but still drop if the signature is set to drop?

suppress gen_id 1, sig_id 21965, track by_src, ip x.x.x.x


More information about the Snort-users mailing list