[Oisf-users] IP Address Suppression Issue

Shirkdog shirkdog at gmail.com
Sun Nov 3 15:18:33 UTC 2013


Did you set the sig_id to 2015665 in your suppress rule?
On Nov 3, 2013 9:16 AM, "Leonard Jacobs" <ljacobs at netsecuris.com> wrote:

> Suricata version 1.4.6
>
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>
> CURRENT_EVENTS NeoSploit - TDS"; flow:established,to_server; urilen:34;
>
> content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U";
>
> classtype:attempted-user; sid:2015665; rev:1;)
>
>
>
> Keep in mind that I have seen the issue occur with other signatures as
> well.
>
>
>
> I used the links you gave me to actually create the threshold statements.
>
>
>
> Thanks.
>
>
>
> Leonard
>
>
>
> *From:* Peter Manev [mailto:petermanev at gmail.com]
> *Sent:* Sunday, November 03, 2013 4:09 AM
> *To:* Leonard Jacobs
> *Cc:* oisf-users
> *Subject:* Re: [Oisf-users] IP Address Suppression Issue
>
>
>
>
>
>
>
> On Sat, Nov 2, 2013 at 6:41 PM, Leonard Jacobs <ljacobs at netsecuris.com>
> wrote:
>
> When setting an destination IP address to suppress alerts in
> threshold.config file. It is not suppressing alerts for signature
> CURRENT_EVENTS NeoSploit – TDS. Can anyone tell me why it does not suppress
> alerts for that signature?
>
>
>
> I am using the following in the threshold.config file.
>
>
>
> suppress gen_id 1, sig_id 0, track by_dst, ip 184.106.100.154
>
>
>
> That address resolves to www.bookashowing.com.
>
>
>
> Thanks.
>
>
>
>
>
>
> Can you please post the signature?
>
> What Suricata version are you using?
>
> Have you looked here:
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds
>
> and here:
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule-Thresholding
>
>
>
> thanks
>
>
>
>
>
>
> --
>
> Regards,
>
> Peter Manev
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131103/d80209d3/attachment-0002.html>


More information about the Oisf-users mailing list