[Oisf-users] Fwd: Threshold.conf not working

Josh Brower Josh at defensivedepth.com
Sun Jan 6 20:15:26 UTC 2013


I am using Suricata with the latest version of Security Onion (12.04),
which uses Suricata 1.3.3.  I have threshold.conf with 18 entries.  I have
verified that Suricata loaded those 18 rules on startup ("Threshold config
parsed: 18 rule(s) found")

But I still get alerts firing for these entries... For example, in my
threshold.conf:

#Suppress - ET CNC Shadowserver Reported CnC Server IP (group 38)  for
 SOSERVER- False Positive - 12/12

 suppress gen_id 1, sig_id 2404037, track by_dst, ip 72.8.140.222

I restart Suricata, and I still get this alert firing for the dst IP
of 72.8.140.222.

What should I tshoot next?

Thanks

-Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130106/2482c65a/attachment-0002.html>


More information about the Oisf-users mailing list