[Oisf-users] IP Address Suppression Issue
Leonard Jacobs
ljacobs at netsecuris.com
Sun Nov 3 14:11:19 UTC 2013
Suricata version 1.4.6
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS NeoSploit - TDS"; flow:established,to_server; urilen:34;
content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U";
classtype:attempted-user; sid:2015665; rev:1;)
Keep in mind that I have seen the issue occur with other signatures as well.
I used the links you gave me to actually create the threshold statements.
Thanks.
Leonard
From: Peter Manev [mailto:petermanev at gmail.com]
Sent: Sunday, November 03, 2013 4:09 AM
To: Leonard Jacobs
Cc: oisf-users
Subject: Re: [Oisf-users] IP Address Suppression Issue
On Sat, Nov 2, 2013 at 6:41 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
When setting an destination IP address to suppress alerts in threshold.config file. It is not suppressing alerts for signature CURRENT_EVENTS NeoSploit - TDS. Can anyone tell me why it does not suppress alerts for that signature?
I am using the following in the threshold.config file.
suppress gen_id 1, sig_id 0, track by_dst, ip 184.106.100.154
That address resolves to www.bookashowing.com.
Thanks.
Can you please post the signature?
What Suricata version are you using?
Have you looked here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds
and here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule-Thresholding
thanks
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131103/ca73a591/attachment-0002.html>
More information about the Oisf-users
mailing list