Re: Thresholding & Suppressing

[Jeremy Hoel <jthoel () gmail com>]

Suppress, as you can see, only works with one flag or the other.

you could write a pass rule in the local.rules to allow this traffic
between those ports and ip's

you could also write a bpf to use to have snort ignore that traffic
and port completely.

i myself tend to write pass rules when I need this, but that's just me.

On Thu, Aug 1, 2013 at 3:03 PM, Turnbough, Bradley E.
<bturnbough () belcan com> wrote:
> Guys,
>
> I'm looking to completely suppress an alert from one specific IP to another specific IP, but I want to alert on 
> others.  Is this possible?
>
> I tried:
>
> suppress gen_id 1, sig_id 1948, track by_src, ip 1.2.3.4/32, track by_dst, ip 5.6.7.8/32
>
> But I get:
>
> "ERROR: threshold.conf(60) suppress has extra option of type: track.
> Fatal Error, Quitting.."
>
>
> It appears I can either suppress by source OR by destination, but I need BOTH.
>
> Ideas?
>
> Brad
>
> _____________________________________________________________ This e-mail transmission contains information that is 
> confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail 
> in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any 
> disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the 
> message immediately by informing the sender that the message was misdirected. After replying, please erase it from 
> your computer system. Your assistance in correcting this error is appreciated.
>
> ------------------------------------------------------------------------------
> Get your SQL database under version control now!
> Version control is standard for application code, but databases havent
> caught up. So what steps can you take to put your SQL databases under
> version control? Why should you start doing it? Read more to find out.
> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!