Snort mailing list archives
Re: Help with Suppression
From: Tim Townsend <Tim () SaifulBouquet com>
Date: Fri, 8 Feb 2019 17:28:12 +0000
I have removed myself from this group several times through the website but I am still getting emails. Can someone please remove me? Thanks TIM TOWNSEND IT Director -----Original Message----- From: Snort-devel [mailto:snort-devel-bounces () lists snort org] On Behalf Of Russ via Snort-devel Sent: Friday, February 08, 2019 9:29 AM To: snort-devel () lists snort org Subject: Re: [Snort-devel] Help with Suppression Hey Thanos, You can only set one suppression per gid:sid pair so you can't at the moment fully exclude a gid:sid by suppression. Are the alerts you are trying to suppress with 0:0 based on builtin rules? You may be able configure multiple policies differently to work around some cases. Also, I'm curious about your suppression of 119:225 and 119:228. Can you share any data on those like -A cmg output or maybe a pcap? Thanks Russ On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
Hello All, We are running Snort3.0.0-250 as IDS and we are trying to suppress several IP addresses from the logs (global suppression from all signatures). In order to perform this for specific IP addresses by source we add the below under snort.lua suppress = { { gid = 119, sid = 228 }, { gid = 119, sid 225 }, { gid = 0, sid =0, track = by_src, ip = '10.10.10.10', ip = '192.168.10.10' }, } My questions are: - Is there a way to use additional suppresion rules to cover by_src with the same gid and sid? - Is there a way to use additional suppresion rules to cover by_src and by_dst, to totally exluded a subnet or IP address? _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort! _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Help with Suppression Thanos Constantopoulos via Snort-devel (Feb 08)
- Re: Help with Suppression Russ via Snort-devel (Feb 08)
- Re: Help with Suppression Tim Townsend (Feb 08)
- Re: Help with Suppression lbelyeu71--- via Snort-devel (Feb 08)
- Re: Help with Suppression Tim Townsend (Feb 08)
- <Possible follow-ups>
- Re: Help with Suppression Thanos Constantopoulos via Snort-devel (Feb 23)
- Re: Help with Suppression Eugenio Pérez via Snort-devel (Feb 23)
- Re: Help with Suppression Russ via Snort-devel (Feb 08)