Snort mailing list archives

Previous By Date Next
Previous By Thread Next

suppress not working for emerging threats rules

From: Matthew Ritenburg <Matthew.Ritenburg () ctg com>
Date: Tue, 2 Jun 2015 18:24:40 +0000
I am testing suppressing all events for one IP address.  I am using a single suppress line in threshold.conf:

suppress gen_id 0, sig_id 0, track by_src, ip 192.168.100.25

Based on the documentation, I would expect this to suppress all events, but it appears that emerging threats rules are 
still triggered:

[1:2001978:6] ET POLICY SSH session in progress on Expected Port
[1:2003020:9] ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
[1:2010939:2] ET POLICY Suspicious inbound to PostgreSQL port 5432

Is this a bug?  Is there a trick to suppressing emerging threats rules?

Thanks,

Matthew

The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the
intended recipient is prohibited. If you are not the intended recipient of this 
message, please contact the sender and delete this material from this computer.

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: