Snort mailing list archives
Re: Help with Suppression
From: lbelyeu71--- via Snort-devel <snort-devel () lists snort org>
Date: Fri, 8 Feb 2019 19:35:15 +0000 (UTC)
Please remove me as well. No longer in this Profession.
On Friday, February 8, 2019, 11:35:47 AM CST, Tim Townsend <Tim () SaifulBouquet com> wrote:
I have removed myself from this group several times through the website but I am still getting emails. Can someone
please remove me?
Thanks
TIM TOWNSEND
IT Director
-----Original Message-----
From: Snort-devel [mailto:snort-devel-bounces () lists snort org] On Behalf Of Russ via Snort-devel
Sent: Friday, February 08, 2019 9:29 AM
To: snort-devel () lists snort org
Subject: Re: [Snort-devel] Help with Suppression
Hey Thanos,
You can only set one suppression per gid:sid pair so you can't at the moment fully exclude a gid:sid by suppression.
Are the alerts you are trying to suppress with 0:0 based on builtin rules? You may be able configure multiple policies
differently to work around some cases.
Also, I'm curious about your suppression of 119:225 and 119:228. Can you share any data on those like -A cmg output or
maybe a pcap?
Thanks
Russ
On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
Hello All,
We are running Snort3.0.0-250 as IDS and we are trying to suppress
several IP addresses from the logs (global suppression from all
signatures). In order to perform this for specific IP addresses by
source we add the below under snort.lua
suppress =
{
{ gid = 119, sid = 228 },
{ gid = 119, sid 225 },
{ gid = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =
'192.168.10.10' }, }
My questions are:
- Is there a way to use additional suppresion rules to cover by_src
with the same gid and sid?
- Is there a way to use additional suppresion rules to cover by_src
and by_dst, to totally exluded a subnet or IP address?
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort! _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Help with Suppression Thanos Constantopoulos via Snort-devel (Feb 08)
- Re: Help with Suppression Russ via Snort-devel (Feb 08)
- Re: Help with Suppression Tim Townsend (Feb 08)
- Re: Help with Suppression lbelyeu71--- via Snort-devel (Feb 08)
- Re: Help with Suppression Tim Townsend (Feb 08)
- <Possible follow-ups>
- Re: Help with Suppression Thanos Constantopoulos via Snort-devel (Feb 23)
- Re: Help with Suppression Eugenio Pérez via Snort-devel (Feb 23)
- Re: Help with Suppression Russ via Snort-devel (Feb 08)