<html><head></head><body>Suricata version 1.4.3 We are planning to upgrade it to the latest version.<div><br></div><div>The following did not work:</div><div><br></div><div><div>suppress gen_id 1, sig_id 0, track by_src, ip 12.54.51.87</div><div>suppress gen_id 1, sig_id 2101390, track by_src, ip 66.84.158.109</div><div>suppress gen_id 1, sig_id 2012252, track by_src, ip 199.96.162.40</div><div><br></div><div>We tried to following the examples in the threshold.config file but maybe we did not set these up correctly. We don't fully understand how the gen_id works so that might be the problem. We tried gen_id 0 and 1. Neither seem to work. The source IP addresses were not ignored. Still got drops with them.</div><div><br></div><div>Thanks.</div><div><br>Leonard Jacobs, MBA, CISSP<br>President/CEO<br>Netsecuris Inc.<br>P 952-641-1421 ext. 20<br>http://www.netsecuris.com<br><br><br><div>Anoop Saldanha <anoopsaldanha@gmail.com> , 8/22/2013 7:25 AM:<br><blockquote style="margin:0 0 0 .8ex;border-left:2px blue solid;padding-left:1ex;">On Thu, Aug 22, 2013 at 12:42 AM, Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com" class="mailto">ljacobs@netsecuris.com</a>> wrote:
<br>> I have been trying to exclude certain source IP addresses from triggering
<br>> alerts or drops. I read that there is a bug when performing global threshold
<br>> functions such as Suppress. Maybe that can be explained to me better on when
<br>> Suppress will work or not work.
<br>>
<br>> But when I use "suppress" in the threshold.config file and setup
<br>> suricata.yaml, the supression does not seem to work.
<br>>
<br>> What is the best way or proper way to have Suricata ignore a src IP?
<br>>
<br>
<br>Suppress should work fine.
<br>
<br>What version of suricata are you using? Can you post your suppress
<br>setup, the rule that you are using, and also the traffic that you are
<br>testing?
<br>
<br>--
<br>-------------------------------
<br>Anoop Saldanha
<br><a href="http://www.poona.me" target="_blank">http://www.poona.me</a>
<br>-------------------------------
<br></blockquote></div></div></div></body></html>