Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Event_filter and suppression on same rule valid?

From: "Starner, Mark" <mark.starner () unisys com>
Date: Tue, 20 Nov 2012 14:05:53 -0600
Grrrr.. scratch that.... the ACTUAL ORDER IS:

suppress gen_id 122, sig_id 3, track by_src, ip [list of IP's here]
event_filter gen_id 122, sig_id 3, type limit, track by_src, count 2,
seconds 180

So the suppression is in the threshold.conf file first, followed by the
event_filter.

Sorry for the multiple messages.


-----Original Message-----
From: Starner, Mark 
Sent: Tuesday, November 20, 2012 3:03 PM
To: 'snort-users () lists sourceforge net'
Subject: RE: Event_filter and suppression on same rule valid?

A correction, the order of the entries is:
event_filter gen_id 122, sig_id 3, type limit, track by_src, count 2,
seconds 180
suppress gen_id 122, sig_id 3, track by_src, ip [list of IP's here]

So the event_filter is in the threshold.conf file first, followed by the
suppression.

-----Original Message-----
From: Starner, Mark 
Sent: Tuesday, November 20, 2012 2:58 PM
To: snort-users () lists sourceforge net
Subject: Event_filter and suppression on same rule valid?

Running snort 2.9.3.1

We have two entries in the threshold.conf file:

event_filter gen_id 122, sig_id 3, type limit, track by_src, count 2,
seconds 180
suppress gen_id 122, sig_id 3, track by_src, ip [list of IP's here]

The suppression seems to be working fine, but the event_filter isn't. 

We want to suppress the 122:3 alerts from a specifc set of IP's, but just
want to limit the number of alerts from everyone else and we are seeing more
than 2 alerts in a 3 minute timeframe for those IP's not suppressed.

Should this work???

Thanks
Mark

Attachment: smime.p7s
Description: 

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: