<div dir="ltr">I don't have any ideas on why the suppress isn't working, hopefully someone else may have an idea there.<div><br></div><div>I'm chasing down that false positive though. Looks like that IP is an irc server as well which is probably where it got listed in the shadowserver feed. Will ping them to see if they're ok removing it.</div>
<div><br></div><div style>Matt</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Jan 6, 2013 at 3:05 PM, Josh Brower <span dir="ltr"><<a href="mailto:joshbrower@gmail.com" target="_blank">joshbrower@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I am using Suricata with the latest version of Security Onion (12.04), which uses Suricata 1.3.3.  I have threshold.conf with 18 entries.  I have verified that Suricata loaded those 18 rules on startup ("Threshold config parsed: 18 rule(s) found")<p>


</p><div>But I still get alerts firing for these entries... For example, in my threshold.conf:</div><div><br></div><div><p style="font-size:13px;line-height:17.33333396911621px;color:rgb(51,51,51);background-image:none;padding:0px;margin-bottom:10px;font-family:Arial,Helvetica,FreeSans,sans-serif">


#Suppress - ET CNC Shadowserver Reported CnC Server IP (group 38) <span style="color:rgb(85,85,85)"> for  SOSERVER- False Positive -<span style="color:rgb(71,71,71)"> 12/12</span></span></p><p style="font-size:13px;line-height:17.33333396911621px;color:rgb(51,51,51);background-image:none;padding:0px;margin-bottom:10px;font-family:Arial,Helvetica,FreeSans,sans-serif">


<span style="color:rgb(71,71,71)"> </span>suppress gen_id 1, sig_id <span style="color:rgb(71,71,71)">2404037</span>, track by_dst, ip 72.8.140.222</p><p style="font-size:13px;line-height:17.33333396911621px;color:rgb(51,51,51);background-image:none;padding:0px;margin-bottom:10px;font-family:Arial,Helvetica,FreeSans,sans-serif">


I restart Suricata, and I still get this alert firing for the dst IP of 72.8.140.222.</p><p style="font-size:13px;line-height:17.33333396911621px;color:rgb(51,51,51);background-image:none;padding:0px;margin-bottom:10px;font-family:Arial,Helvetica,FreeSans,sans-serif">

What should I tshoot next?</p><p style="font-size:13px;line-height:17.33333396911621px;color:rgb(51,51,51);background-image:none;padding:0px;margin-bottom:10px;font-family:Arial,Helvetica,FreeSans,sans-serif">Thanks</p><span class="HOEnZb"><font color="#888888"><p style="font-size:13px;line-height:17.33333396911621px;color:rgb(51,51,51);background-image:none;padding:0px;margin-bottom:10px;font-family:Arial,Helvetica,FreeSans,sans-serif">

-Josh</p></font></span></div></div>
<br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><br><br>----------------------------------------------------<br>
Matt Jonkman<br>Emerging Threats Pro<br>Open Information Security Foundation (OISF)<br>Phone 866-504-2523 x110<br><a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br><a href="http://www.openinfosecfoundation.org" target="_blank">http://www.openinfosecfoundation.org</a><br>
----------------------------------------------------
</div>