Event_filter and suppression on same rule valid?

["Starner, Mark" <mark.starner () unisys com>]

Running snort 2.9.3.1

We have two entries in the threshold.conf file:

event_filter gen_id 122, sig_id 3, type limit, track by_src, count 2,
seconds 180
suppress gen_id 122, sig_id 3, track by_src, ip [list of IP's here]

The suppression seems to be working fine, but the event_filter isn't. 

We want to suppress the 122:3 alerts from a specifc set of IP's, but just
want to limit the number of alerts from everyone else and we are seeing more
than 2 alerts in a 3 minute timeframe for those IP's not suppressed.

Should this work???

Thanks
Mark

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!