[Oisf-users] Alerts' suppression

Kirill Sluchanko KSluchanko at polikom.ru
Mon Jul 15 13:50:59 UTC 2013


Hi,

Suricata's Wiki contains following text in Global-Thresholds section:

-------------------------------------------------------------------------------
suppress

Suppressions can be used to suppress alerts for a rule or a
host/network. Actions performed when a rule matches, such as setting a
flowbit, are still performed.

Syntax:

suppress gen_id <gid>, sig_id <sid>
suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|
subnet>

Example:

suppress gen_id 1, sig_id 2002087, track by_src, ip 209.132.180.67

This will make sure the signature 2002087 will never match for src host
209.132.180.67.
-------------------------------------------------------------------------------

In the first paragraph we see that 'suppress' suppresses alerts for the
rule while other actions still performed when rule matches. OK, that's
exactly what I need - drop UDP with invalid checksums but suppress
alerts on it to keep my logs clear.

But then we have usage example for 'suppress' - and explanation says
that 'suppress' makes signature never matching. Wow... looks like if I
will use 'suppress' for my rule, which is dropping UDP packets with
invalid checksums, it will never match and packets I want to drop will
pass. Not good.

Which is true? And, of course Global-Thresholds section in Wiki should
be corrected to be precise and single meaning.

Best regards,
Cyril Sluchanko


More information about the Oisf-users mailing list