[Oisf-users] Alerts' suppression

Victor Julien lists at inliniac.net
Mon Jul 22 08:10:23 UTC 2013 

On 07/22/2013 10:05 AM, Kirill Sluchanko wrote:
>> On 07/22/2013 09:51 AM, Kirill Sluchanko wrote:
>>>         Victor,
>>>
>>>    /usr/bin/suricata -c /etc/suricata/suricata-debian.yaml --pidfile
>>> /var/run/suricata.pid -q 0 -D
>>>
>>>         I use 1.2.1-2 from Debian distribution - missed it in previous
>>> messages.
>>
>> You need to upgrade to 1.4.4, a lot changed since 1.2, especially for
>> thresholding.
>>
>> Cheers,
>> Victor
>>
>> Ps. please don't use html and don't top post.
>>
>>
>>> В Пн, 22/07/2013 в 09:27 +0200, Victor Julien пишет:
>>>> On 07/17/2013 02:28 PM, Kirill Sluchanko wrote:
>>>>> OK, let's start from the other end.
>>>>>
>>>>> My task is to remove alerts for some rule from unified2.alerts as these
>>>>> alerts uselessly poisoning Snorby's database.  
>>>>>
>>>>> As I got no replies on previous message I've tried to experiment with
>>>>> threshold settings. First of all I've enabled drop.log (as, for some
>>>>> reasons, it is the only way I can use to find if the packets are
>>>>> dropped).
>>>>>
>>>>> Then I've enabled threshold file in suricata.yaml and create
>>>>> threshold.config with following content:
>>>>>
>>>>>   suppress gen_id 1, sig_id 2200075
>>>>>
>>>>> Restart Suricata - and first try failed. Too few records in drop.log. I
>>>>> think it means that packets matching the rule is not dropped - and when
>>>>> I have commented the string above and restarted Suricata, drop.log shows
>>>>> that packets of interest are dropping.
>>>>>
>>>>> Well, let's try another way - I have changed content of threshold.conf
>>>>> to following string:
>>>>>
>>>>>   threshold gen_id 1, sig_id 2200075, type threshold, track by_src,
>>>>> count 1000,  seconds 1000
>>>>>
>>>>> Restart Suricata - still no luck; drop.log shows that nothing is
>>>>> dropped. Comment the string and restart Suricata - drop.log shows that
>>>>> packets are dropping.
>>>>>
>>>>> The question is - what's wrong with my approach? Or maybe it is
>>>>> something wrong with Suricata? For example, I suspect that 'suppress' or
>>>>> 'threshold' usage can influence dropped packets logging.
>>>>
>>>> How are you starting Suricata?
>>>>
>>
> 
> Victor,
> 
> Sorry for HTML - just forgot to switch to clear text. And I will not be
> top posting.
> 
> I cannot upgrade to 1.4.4 right now - just no time and no experience in
> creating Debian packages, and I cannot pass server with many
> "configure-make-make install" software to production for some reason.
> 
> Is it possible to find if just alerts suppressed in 1.2.2? I suppose
> that empty  drop.log is just a bug or I don't understand how suppression
> works - but I need input from Suricata team to confirm it, if it is
> possible.
> 

Like I said, a lot changed between 1.2 and 1.4.4, especially for
thresholding and alert suppression. You really need to upgrade. A
million other bugs are fixed as well. 1.4.3 is in debian testing, so you
could try using that.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list