[Oisf-users] Questions on using Suppress

Leonard Jacobs ljacobs at netsecuris.com
Thu Aug 22 13:04:03 UTC 2013

Suricata version 1.4.3  We are planning to upgrade it to the latest version.
The following did not work:
suppress gen_id 1, sig_id 0, track by_src, ip gen_id 1, sig_id 2101390, track by_src, ip gen_id 1, sig_id 2012252, track by_src, ip
We tried to following the examples in the threshold.config file but maybe we did not set these up correctly.  We don't fully understand how the gen_id works so that might be the problem.  We tried gen_id 0 and 1.  Neither seem to work.  The source IP addresses were not ignored.  Still got drops with them.
Leonard Jacobs, MBA, CISSP
Netsecuris Inc.
P 952-641-1421 ext. 20

Anoop Saldanha <anoopsaldanha at gmail.com> , 8/22/2013 7:25 AM:
On Thu, Aug 22, 2013 at 12:42 AM, Leonard Jacobs <ljacobs at netsecuris.com> wrote: 
> I have been trying to exclude certain source IP addresses from triggering 
> alerts or drops. I read that there is a bug when performing global threshold 
> functions such as Suppress. Maybe that can be explained to me better on when 
> Suppress will work or not work. 
> But when I use "suppress" in the threshold.config file and setup 
> suricata.yaml, the supression does not seem to work. 
> What is the best way or proper way to have Suricata ignore a src IP? 
Suppress should work fine. 
What version of suricata are you using?  Can you post your suppress 
setup, the rule that you are using, and also the traffic that you are 
Anoop Saldanha 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130822/459a151a/attachment-0002.html>

More information about the Oisf-users mailing list