[Oisf-users] GeoIP thresholding/supression

Russell Fulton r.fulton at auckland.ac.nz
Fri Aug 23 19:44:36 UTC 2013

I currently do stuff like this once I have the alerts in the db. It would certainly be nice to do this through the thresholding.


On 24/08/2013, at 2:29 AM, Kevin Ross <kevross33 at googlemail.com>

> Hi,
> Not sure if this is on the cards but the ability to do geoip thresholding could be useful in cases where a sig is useful but FPs within the local region.
> i.e
> suppress gen_id 1, sig_id XXXXXX, track by_src, geoip GB
> That would give so much more flexibility in supression as I have signatures which are to useful to disable but I get more FPs than anything else of them for local stuff within the country which is legit but different IPs.
> Kindest Regards,
> Kevin
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list