[Snort-users] Event supression question, and Whitelist question

Avery Rozar Avery.Rozar at ...16118...
Thu Jun 26 18:57:40 EDT 2014


Thank you Joel.

From: "Joel Esler (jesler)" <jesler at ...589...<mailto:jesler at ...589...>>
Date: Thursday, June 26, 2014 at 11:45 AM
To: Avery Rozar <avery.rozar at ...16118...<mailto:avery.rozar at ...16118...>>
Cc: "snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>" <snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>>
Subject: Re: [Snort-users] Event supression question, and Whitelist question

On Jun 25, 2014, at 4:16 PM, Avery Rozar <Avery.Rozar at ...16118...<mailto:Avery.Rozar at ...16118...>> wrote:

Does event suppression stop alerting, and if inline stop dropping too? Or just alerting, but still drop?

I added the below entry into threshold.conf and I don’t get alerts anymore but the app in use that was fining this sig off (it uses wininet) is still not woking.

It just suppresses the alert.  Any action will still take place.

suppress gen_id 1, sig_id 21965, track by_src, ip x.x.x.x

Does adding a host to the white_list.rules stop preprocessor rules from being applied to this host too?

No, that’s for IP Blacklisting.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team





More information about the Snort-users mailing list