<div dir="ltr">This seems like a core thing to have broken. Is there no unit test for this?</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 31, 2015 at 6:56 AM, Andreas Herz <span dir="ltr"><<a href="mailto:andi@geekosphere.org" target="_blank">andi@geekosphere.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<span class=""><br>
On 31/03/15 at 08:51, Barkley, Joey wrote:<br>
> I am having some trouble getting some rules suppressed in my<br>
> threshold.conf file. I have verified the file path in my suricata.yaml<br>
> file. I want to basically turn off certain rules for certain IPs. Here<br>
> is a sample of what I have in the file:<br>
<br>
</span>suppress ist not working as intended at the moment, see the issues<br>
related to that:<br>
<br>
<a href="https://redmine.openinfosecfoundation.org/issues/1247" target="_blank">https://redmine.openinfosecfoundation.org/issues/1247</a><br>
<br>
<a href="https://redmine.openinfosecfoundation.org/issues/1243" target="_blank">https://redmine.openinfosecfoundation.org/issues/1243</a><br>
<span class="im HOEnZb"><br>
<br>
> # Suppress Nessus alerts for the nessus server... suppress gen_id 1,<br>
> sig_id 2002664, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ET SCAN<br>
> Nessus User Agent suppress gen_id 1, sig_id 2102585, track by_src, ip<br>
> <IPADDRESS_TO_EXCLUDE> # GPL SCAN nessus 2.x 404 probe suppress gen_id<br>
> 1, sig_id 2803236, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ETPRO<br>
> SCAN Nessus Scanner UPNP Broadcast<br>
><br>
> So I have one nessus scanner and I don’t want to log nessus traffic<br>
> from it. This is just one example. I have several other false<br>
> positives with certain systems but I want to keep the rules available<br>
> for logging for everything else.<br>
><br>
> Am I messing up the syntax? I’ve searched and searched but all I can<br>
> find is some references to not being able to override “in rule limits”<br>
> and similar wording. Is it possible that this is what is happening<br>
> here? I find it hard to believe that I can’t suppress a rule for a<br>
> particular IP.<br>
><br>
> Thanks for the help.<br>
><br>
> Joey _______________________________________________ Suricata IDS<br>
> Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a> Site:<br>
> <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List:<br>
> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
<br>
</span><span class="HOEnZb"><font color="#888888">--<br>
Andreas Herz<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a></div></div></blockquote></div><br></div>