[Oisf-users] Alerts' suppression

Mon Jul 22 08:14:13 UTC 2013

В Пн, 22/07/2013 в 10:10 +0200, Victor Julien пишет:
> On 07/22/2013 10:05 AM, Kirill Sluchanko wrote:
> >> On 07/22/2013 09:51 AM, Kirill Sluchanko wrote:
> >>>         Victor,
> >>>
> >>>    /usr/bin/suricata -c /etc/suricata/suricata-debian.yaml --pidfile
> >>> /var/run/suricata.pid -q 0 -D
> >>>
> >>>         I use 1.2.1-2 from Debian distribution - missed it in previous
> >>> messages.
> >>
> >> You need to upgrade to 1.4.4, a lot changed since 1.2, especially for
> >> thresholding.
> >>
> >> Cheers,
> >> Victor
> >>
> >> Ps. please don't use html and don't top post.
> >>
> >>
> >>> В Пн, 22/07/2013 в 09:27 +0200, Victor Julien пишет:
> >>>> On 07/17/2013 02:28 PM, Kirill Sluchanko wrote:
> >>>>> OK, let's start from the other end.
> >>>>>
> >>>>> My task is to remove alerts for some rule from unified2.alerts as these
> >>>>> alerts uselessly poisoning Snorby's database.  
> >>>>>
> >>>>> As I got no replies on previous message I've tried to experiment with
> >>>>> threshold settings. First of all I've enabled drop.log (as, for some
> >>>>> reasons, it is the only way I can use to find if the packets are
> >>>>> dropped).
> >>>>>
> >>>>> Then I've enabled threshold file in suricata.yaml and create
> >>>>> threshold.config with following content:
> >>>>>
> >>>>>   suppress gen_id 1, sig_id 2200075
> >>>>>
> >>>>> Restart Suricata - and first try failed. Too few records in drop.log. I
> >>>>> think it means that packets matching the rule is not dropped - and when
> >>>>> I have commented the string above and restarted Suricata, drop.log shows
> >>>>> that packets of interest are dropping.
> >>>>>
> >>>>> Well, let's try another way - I have changed content of threshold.conf
> >>>>> to following string:
> >>>>>
> >>>>>   threshold gen_id 1, sig_id 2200075, type threshold, track by_src,
> >>>>> count 1000,  seconds 1000
> >>>>>
> >>>>> Restart Suricata - still no luck; drop.log shows that nothing is
> >>>>> dropped. Comment the string and restart Suricata - drop.log shows that
> >>>>> packets are dropping.
> >>>>>
> >>>>> The question is - what's wrong with my approach? Or maybe it is
> >>>>> something wrong with Suricata? For example, I suspect that 'suppress' or
> >>>>> 'threshold' usage can influence dropped packets logging.
> >>>>
> >>>> How are you starting Suricata?
> >>>>
> >>
> > 
> > Victor,
> > 
> > Sorry for HTML - just forgot to switch to clear text. And I will not be
> > top posting.
> > 
> > I cannot upgrade to 1.4.4 right now - just no time and no experience in
> > creating Debian packages, and I cannot pass server with many
> > "configure-make-make install" software to production for some reason.
> > 
> > Is it possible to find if just alerts suppressed in 1.2.2? I suppose
> > that empty  drop.log is just a bug or I don't understand how suppression
> > works - but I need input from Suricata team to confirm it, if it is
> > possible.
> > 
> 
> Like I said, a lot changed between 1.2 and 1.4.4, especially for
> thresholding and alert suppression. You really need to upgrade. A
> million other bugs are fixed as well. 1.4.3 is in debian testing, so you
> could try using that.
> 
Victor,

OK - if it is the only way, I'll try to mix stable with testing. 