[Oisf-users] Alerts' suppression

Victor Julien lists at inliniac.net
Mon Jul 22 07:53:28 UTC 2013 

On 07/22/2013 09:51 AM, Kirill Sluchanko wrote:
>         Victor,
> 
>    /usr/bin/suricata -c /etc/suricata/suricata-debian.yaml --pidfile
> /var/run/suricata.pid -q 0 -D
> 
>         I use 1.2.1-2 from Debian distribution - missed it in previous
> messages.

You need to upgrade to 1.4.4, a lot changed since 1.2, especially for
thresholding.

Cheers,
Victor

Ps. please don't use html and don't top post.


> В Пн, 22/07/2013 в 09:27 +0200, Victor Julien пишет:
>> On 07/17/2013 02:28 PM, Kirill Sluchanko wrote:
>> > OK, let's start from the other end.
>> > 
>> > My task is to remove alerts for some rule from unified2.alerts as these
>> > alerts uselessly poisoning Snorby's database.  
>> > 
>> > As I got no replies on previous message I've tried to experiment with
>> > threshold settings. First of all I've enabled drop.log (as, for some
>> > reasons, it is the only way I can use to find if the packets are
>> > dropped).
>> > 
>> > Then I've enabled threshold file in suricata.yaml and create
>> > threshold.config with following content:
>> > 
>> >   suppress gen_id 1, sig_id 2200075
>> > 
>> > Restart Suricata - and first try failed. Too few records in drop.log. I
>> > think it means that packets matching the rule is not dropped - and when
>> > I have commented the string above and restarted Suricata, drop.log shows
>> > that packets of interest are dropping.
>> > 
>> > Well, let's try another way - I have changed content of threshold.conf
>> > to following string:
>> > 
>> >   threshold gen_id 1, sig_id 2200075, type threshold, track by_src,
>> > count 1000,  seconds 1000
>> > 
>> > Restart Suricata - still no luck; drop.log shows that nothing is
>> > dropped. Comment the string and restart Suricata - drop.log shows that
>> > packets are dropping.
>> > 
>> > The question is - what's wrong with my approach? Or maybe it is
>> > something wrong with Suricata? For example, I suspect that 'suppress' or
>> > 'threshold' usage can influence dropped packets logging.
>>
>> How are you starting Suricata?
>>


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list