
<p dir="ltr">Did you set the sig_id to 2015665 in your suppress rule?</p>

<div class="gmail_quote">On Nov 3, 2013 9:16 AM, "Leonard Jacobs" <<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Suricata version 1.4.6<u></u><u></u></span></p><p class="MsoNormal">

<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">CURRENT_EVENTS NeoSploit - TDS"; flow:established,to_server; urilen:34;<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U";<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">classtype:attempted-user; sid:2015665; rev:1;)<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Keep in mind that I have seen the issue occur with other signatures as well.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I used the links you gave me to actually create the threshold statements.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Leonard<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Peter Manev [mailto:<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>] <br>

<b>Sent:</b> Sunday, November 03, 2013 4:09 AM<br><b>To:</b> Leonard Jacobs<br><b>Cc:</b> oisf-users<br><b>Subject:</b> Re: [Oisf-users] IP Address Suppression Issue<u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p>

<div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p><div><p class="MsoNormal">On Sat, Nov 2, 2013 at 6:41 PM, Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com" target="_blank">ljacobs@netsecuris.com</a>> wrote:<u></u><u></u></p>

<div><div><p class="MsoNormal">When setting an destination IP address to suppress alerts in threshold.config file. It is not suppressing alerts for signature CURRENT_EVENTS NeoSploit – TDS. Can anyone tell me why it does not suppress alerts for that signature?<u></u><u></u></p>

<p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">I am using the following in the threshold.config file.<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">suppress gen_id 1, sig_id 0, track by_dst, ip 184.106.100.154<u></u><u></u></p>

<p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">That address resolves to <a href="http://www.bookashowing.com" target="_blank">www.bookashowing.com</a>.<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p>

<p class="MsoNormal">Thanks.<u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#888888"> </span><span style="color:#888888"><u></u><u></u></span></p><p class="MsoNormal">

<br clear="all"><u></u><u></u></p></div></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br><br><u></u><u></u></p></div><div><p class="MsoNormal">Can you please post the signature?<u></u><u></u></p></div><div>

<p class="MsoNormal" style="margin-bottom:12.0pt">What Suricata version are you using?<u></u><u></u></p></div><div><p class="MsoNormal">Have you looked here:<br><a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds</a><u></u><u></u></p>

</div><div><p class="MsoNormal" style="margin-bottom:12.0pt">and here:<br><a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule-Thresholding" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule-Thresholding</a><u></u><u></u></p>

</div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">thanks<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div></div>

<p class="MsoNormal"><br>-- <u></u><u></u></p><div><p class="MsoNormal">Regards,<u></u><u></u></p></div><div><p class="MsoNormal">Peter Manev<u></u><u></u></p></div></div></div></div></div><br>_______________________________________________<br>


Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br></blockquote></div>