[Oisf-users] Alerts' suppression

Kirill Sluchanko KSluchanko at polikom.ru
Wed Jul 17 12:28:43 UTC 2013

OK, let's start from the other end.

My task is to remove alerts for some rule from unified2.alerts as these
alerts uselessly poisoning Snorby's database.  

As I got no replies on previous message I've tried to experiment with
threshold settings. First of all I've enabled drop.log (as, for some
reasons, it is the only way I can use to find if the packets are

Then I've enabled threshold file in suricata.yaml and create
threshold.config with following content:

  suppress gen_id 1, sig_id 2200075

Restart Suricata - and first try failed. Too few records in drop.log. I
think it means that packets matching the rule is not dropped - and when
I have commented the string above and restarted Suricata, drop.log shows
that packets of interest are dropping.

Well, let's try another way - I have changed content of threshold.conf
to following string:

  threshold gen_id 1, sig_id 2200075, type threshold, track by_src,
count 1000,  seconds 1000

Restart Suricata - still no luck; drop.log shows that nothing is
dropped. Comment the string and restart Suricata - drop.log shows that
packets are dropping.

The question is - what's wrong with my approach? Or maybe it is
something wrong with Suricata? For example, I suspect that 'suppress' or
'threshold' usage can influence dropped packets logging.

С уважением,                                                       Best regards,
Кирилл Случанко                                                 Kirill Sluchanko
Ведущий инженер                                                  Senior engineer
Отдел системной интеграции                        Systems Integration Department
KSluchanko at polikom.ru                                      KSluchanko at polikom.ru
ICQ: 58533620  Skype: KSluchanko                ICQ: 58533620  Skype: KSluchanko
тел.: +7 (812) 325 84 00 #182                     phone: +7 (812) 325 84 00 #182

——————————————————————————————————            ——————————————————————————————————

ЗАО «Поликом Про»                                                Polikom Pro JSC
Системный интегратор                                          Systems Integrator
195197, Россия, Санкт-Петербург                    195197 Russia, St. Petersburg
пр. Полюстровский, дом 59, литер Э            59 liter E Poliustrovskiy prospekt
тел.: +7 (812) 325 84 00                               phone: +7 (812) 325 84 00
факс: +7 (812) 320 56 86                                 fax: +7 (812) 320 56 86
www.polikom.ru info at polikom.ru                    www.polikom.ru info at polikom.ru

В Пн, 15/07/2013 в 13:50 +0000, Kirill Sluchanko пишет:
> Hi,
> Suricata's Wiki contains following text in Global-Thresholds section:
> -------------------------------------------------------------------------------
> suppress
> Suppressions can be used to suppress alerts for a rule or a
> host/network. Actions performed when a rule matches, such as setting a
> flowbit, are still performed.
> Syntax:
> suppress gen_id <gid>, sig_id <sid>
> suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|
> subnet>
> Example:
> suppress gen_id 1, sig_id 2002087, track by_src, ip
> This will make sure the signature 2002087 will never match for src host
> -------------------------------------------------------------------------------
> In the first paragraph we see that 'suppress' suppresses alerts for the
> rule while other actions still performed when rule matches. OK, that's
> exactly what I need - drop UDP with invalid checksums but suppress
> alerts on it to keep my logs clear.
> But then we have usage example for 'suppress' - and explanation says
> that 'suppress' makes signature never matching. Wow... looks like if I
> will use 'suppress' for my rule, which is dropping UDP packets with
> invalid checksums, it will never match and packets I want to drop will
> pass. Not good.
> Which is true? And, of course Global-Thresholds section in Wiki should
> be corrected to be precise and single meaning.
> Best regards,
> Cyril Sluchanko
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list