[Snort-users] Event supression question, and Whitelist question

Joel Esler (jesler) jesler at ...589...
Thu Jun 26 11:45:10 EDT 2014

On Jun 25, 2014, at 4:16 PM, Avery Rozar <Avery.Rozar at ...16118...<mailto:Avery.Rozar at ...16118...>> wrote:

Does event suppression stop alerting, and if inline stop dropping too? Or just alerting, but still drop?

I added the below entry into threshold.conf and I don’t get alerts anymore but the app in use that was fining this sig off (it uses wininet) is still not woking.

It just suppresses the alert.  Any action will still take place.

suppress gen_id 1, sig_id 21965, track by_src, ip x.x.x.x

Does adding a host to the white_list.rules stop preprocessor rules from being applied to this host too?

No, that’s for IP Blacklisting.

Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140626/ba57389d/attachment.html>

More information about the Snort-users mailing list