[Oisf-users] Alerts' suppression
Kirill Sluchanko
KSluchanko at polikom.ru
Mon Jul 22 07:51:29 UTC 2013
Victor,
/usr/bin/suricata -c /etc/suricata/suricata-debian.yaml --pidfile /var/run/suricata.pid -q 0 -D
I use 1.2.1-2 from Debian distribution - missed it in previous messages.
В Пн, 22/07/2013 в 09:27 +0200, Victor Julien пишет:
On 07/17/2013 02:28 PM, Kirill Sluchanko wrote:
> OK, let's start from the other end.
>
> My task is to remove alerts for some rule from unified2.alerts as these
> alerts uselessly poisoning Snorby's database.
>
> As I got no replies on previous message I've tried to experiment with
> threshold settings. First of all I've enabled drop.log (as, for some
> reasons, it is the only way I can use to find if the packets are
> dropped).
>
> Then I've enabled threshold file in suricata.yaml and create
> threshold.config with following content:
>
> suppress gen_id 1, sig_id 2200075
>
> Restart Suricata - and first try failed. Too few records in drop.log. I
> think it means that packets matching the rule is not dropped - and when
> I have commented the string above and restarted Suricata, drop.log shows
> that packets of interest are dropping.
>
> Well, let's try another way - I have changed content of threshold.conf
> to following string:
>
> threshold gen_id 1, sig_id 2200075, type threshold, track by_src,
> count 1000, seconds 1000
>
> Restart Suricata - still no luck; drop.log shows that nothing is
> dropped. Comment the string and restart Suricata - drop.log shows that
> packets are dropping.
>
> The question is - what's wrong with my approach? Or maybe it is
> something wrong with Suricata? For example, I suspect that 'suppress' or
> 'threshold' usage can influence dropped packets logging.
How are you starting Suricata?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130722/a5209084/attachment-0002.html>
More information about the Oisf-users
mailing list