[Oisf-users] Alerts' suppression
Kirill Sluchanko
KSluchanko at polikom.ru
Mon Jul 15 13:50:59 UTC 2013
Hi,
Suricata's Wiki contains following text in Global-Thresholds section:
-------------------------------------------------------------------------------
suppress
Suppressions can be used to suppress alerts for a rule or a
host/network. Actions performed when a rule matches, such as setting a
flowbit, are still performed.
Syntax:
suppress gen_id <gid>, sig_id <sid>
suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|
subnet>
Example:
suppress gen_id 1, sig_id 2002087, track by_src, ip 209.132.180.67
This will make sure the signature 2002087 will never match for src host
209.132.180.67.
-------------------------------------------------------------------------------
In the first paragraph we see that 'suppress' suppresses alerts for the
rule while other actions still performed when rule matches. OK, that's
exactly what I need - drop UDP with invalid checksums but suppress
alerts on it to keep my logs clear.
But then we have usage example for 'suppress' - and explanation says
that 'suppress' makes signature never matching. Wow... looks like if I
will use 'suppress' for my rule, which is dropping UDP packets with
invalid checksums, it will never match and packets I want to drop will
pass. Not good.
Which is true? And, of course Global-Thresholds section in Wiki should
be corrected to be precise and single meaning.
Best regards,
Cyril Sluchanko
More information about the Oisf-users
mailing list