Snort mailing list archives

Help with Suppression

From: Thanos Constantopoulos via Snort-devel <snort-devel () lists snort org>
Date: Fri, 8 Feb 2019 12:04:13 +0200

Hello All,

We are running Snort3.0.0-250 as IDS and we are trying to suppress
several IP addresses from the logs (global suppression from all
signatures). In order to perform this for specific IP addresses by
source we add the below under snort.lua

suppress =

{
{ gid = 119, sid = 228 },
{ gid = 119, sid 225 },
{ gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip = '192.168.10.10' },
}

My questions are:

- Is there a way to use additional suppresion rules to cover by_src
with the same gid and sid?
- Is there a way to use additional suppresion rules to cover by_src
and by_dst, to totally exluded a subnet or IP address?
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Help with Suppression Thanos Constantopoulos via Snort-devel (Feb 08)
- Re: Help with Suppression Russ via Snort-devel (Feb 08)
  - Re: Help with Suppression Tim Townsend (Feb 08)
    - Re: Help with Suppression lbelyeu71--- via Snort-devel (Feb 08)
- <Possible follow-ups>
- Re: Help with Suppression Thanos Constantopoulos via Snort-devel (Feb 23)
  - Re: Help with Suppression Eugenio Pérez via Snort-devel (Feb 23)