<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr">Take a look at pass rules for that</div><div dir="ltr"><br></div><div dir="ltr"><a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic</a></div><div dir="ltr"><br>On Oct 2, 2018, at 3:49 PM, Carlos Lopez <<a href="mailto:clopmz@outlook.com">clopmz@outlook.com</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><span>Thanks Michal .. And is it possible to disable all alerts from a specific IP address? for example:</span><br><span></span><br><span>suppress gen_id 0, sig_id 0, track by_src, ip 192.168.1.1</span><br><span></span><br><span>Regards,</span><br><span>C. L. Martinez</span><br><span>________________________________________</span><br><span>From: Michał Purzyński <<a href="mailto:michalpurzynski1@gmail.com">michalpurzynski1@gmail.com</a>></span><br><span>Sent: 02 October 2018 13:39</span><br><span>To: Carlos Lopez</span><br><span>Cc: Open Information Security Foundation</span><br><span>Subject: Re: [Oisf-users] Question about thresholds</span><br><span></span><br><span>A real world example that seems to work here</span><br><span></span><br><span></span><br><span>suppress gen_id 1, sig_id 2002027, track by_dst, ip [10.22.22.0/24,10.22.11.0/24,2620:1111:1111:1111::/64<http: 10.22.22.0="" 24,10.22.11.0="" 24,2620:1111:1111:1111::="" 64="">]</span><br><span></span><br><span>On Tue, Oct 2, 2018 at 1:18 PM Carlos Lopez <<a href="mailto:clopmz@outlook.com">clopmz@outlook.com</a><<a href="mailto:clopmz@outlook.com">mailto:clopmz@outlook.com</a>>&gt; wrote:</span><br><span>Hi all,</span><br><span></span><br><span> Maybe it is a stupid question, but is it not possible to configure a CIDR network to supress some alerts via threshold.conf?, for example:</span><br><span></span><br><span>suppress gen_id 1, sig_id 2101201, track by_src, ip 192.168.1.0/24<http: 192.168.1.0="" 24=""></span><br><span></span><br><span> If not, what can be the best strategy to accomplish this?</span><br><span></span><br><span>Regards,</span><br><span>C. L. Martinez</span><br><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><<a href="mailto:oisf-users@openinfosecfoundation.org">mailto:oisf-users@openinfosecfoundation.org</a>></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span></span><br><span>Conference: <a href="https://suricon.net">https://suricon.net</a></span><br><span>Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></span><br><span></<a href="mailto:oisf-users@openinfosecfoundation.org">mailto:oisf-users@openinfosecfoundation.org</a>></http:></<a href="mailto:clopmz@outlook.com">clopmz@outlook.com</a><<a href="mailto:clopmz@outlook.com">mailto:clopmz@outlook.com</a>></http:></<a href="mailto:michalpurzynski1@gmail.com">michalpurzynski1@gmail.com</a>></span></div></blockquote></body></html>