[Oisf-users] Alerts' suppression

Kirill Sluchanko KSluchanko at polikom.ru
Mon Jul 15 13:50:59 UTC 2013


Suricata's Wiki contains following text in Global-Thresholds section:


Suppressions can be used to suppress alerts for a rule or a
host/network. Actions performed when a rule matches, such as setting a
flowbit, are still performed.


suppress gen_id <gid>, sig_id <sid>
suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|


suppress gen_id 1, sig_id 2002087, track by_src, ip

This will make sure the signature 2002087 will never match for src host

In the first paragraph we see that 'suppress' suppresses alerts for the
rule while other actions still performed when rule matches. OK, that's
exactly what I need - drop UDP with invalid checksums but suppress
alerts on it to keep my logs clear.

But then we have usage example for 'suppress' - and explanation says
that 'suppress' makes signature never matching. Wow... looks like if I
will use 'suppress' for my rule, which is dropping UDP packets with
invalid checksums, it will never match and packets I want to drop will
pass. Not good.

Which is true? And, of course Global-Thresholds section in Wiki should
be corrected to be precise and single meaning.

Best regards,
Cyril Sluchanko

More information about the Oisf-users mailing list