[Oisf-users] Threshold.conf not working

Matt Jonkman jonkman at jonkmans.com
Mon Jan 7 13:52:23 UTC 2013


I don't have any ideas on why the suppress isn't working, hopefully someone
else may have an idea there.

I'm chasing down that false positive though. Looks like that IP is an irc
server as well which is probably where it got listed in the shadowserver
feed. Will ping them to see if they're ok removing it.

Matt


On Sun, Jan 6, 2013 at 3:05 PM, Josh Brower <joshbrower at gmail.com> wrote:

> I am using Suricata with the latest version of Security Onion (12.04),
> which uses Suricata 1.3.3.  I have threshold.conf with 18 entries.  I have
> verified that Suricata loaded those 18 rules on startup ("Threshold config
> parsed: 18 rule(s) found")
>
> But I still get alerts firing for these entries... For example, in my
> threshold.conf:
>
> #Suppress - ET CNC Shadowserver Reported CnC Server IP (group 38)  for
>  SOSERVER- False Positive - 12/12
>
>  suppress gen_id 1, sig_id 2404037, track by_dst, ip 72.8.140.222
>
> I restart Suricata, and I still get this alert firing for the dst IP
> of 72.8.140.222.
>
> What should I tshoot next?
>
> Thanks
>
> -Josh
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>



-- 


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130107/b4948df5/attachment-0002.html>


More information about the Oisf-users mailing list