[Oisf-users] IP Address Suppression Issue

Leonard Jacobs ljacobs at netsecuris.com
Sun Nov 3 14:11:19 UTC 2013

Suricata version 1.4.6


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET

CURRENT_EVENTS NeoSploit - TDS"; flow:established,to_server; urilen:34;

content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U";

classtype:attempted-user; sid:2015665; rev:1;)


Keep in mind that I have seen the issue occur with other signatures as well.


I used the links you gave me to actually create the threshold statements.






From: Peter Manev [mailto:petermanev at gmail.com] 
Sent: Sunday, November 03, 2013 4:09 AM
To: Leonard Jacobs
Cc: oisf-users
Subject: Re: [Oisf-users] IP Address Suppression Issue




On Sat, Nov 2, 2013 at 6:41 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:

When setting an destination IP address to suppress alerts in threshold.config file. It is not suppressing alerts for signature CURRENT_EVENTS NeoSploit - TDS. Can anyone tell me why it does not suppress alerts for that signature?


I am using the following in the threshold.config file.


suppress gen_id 1, sig_id 0, track by_dst, ip


That address resolves to www.bookashowing.com.




Can you please post the signature?

What Suricata version are you using?

Have you looked here:

and here:







Peter Manev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131103/ca73a591/attachment-0002.html>

More information about the Oisf-users mailing list