Snort mailing list archives
suppress not working for emerging threats rules
From: Matthew Ritenburg <Matthew.Ritenburg () ctg com>
Date: Tue, 2 Jun 2015 18:24:40 +0000
I am testing suppressing all events for one IP address. I am using a single suppress line in threshold.conf: suppress gen_id 0, sig_id 0, track by_src, ip 192.168.100.25 Based on the documentation, I would expect this to suppress all events, but it appears that emerging threats rules are still triggered: [1:2001978:6] ET POLICY SSH session in progress on Expected Port [1:2003020:9] ET POLICY TLS/SSL Encrypted Application Data on Unusual Port [1:2010939:2] ET POLICY Suspicious inbound to PostgreSQL port 5432 Is this a bug? Is there a trick to suppressing emerging threats rules? Thanks, Matthew The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this message, please contact the sender and delete this material from this computer.
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- suppress not working for emerging threats rules Matthew Ritenburg (Jun 02)