[Oisf-users] threshold.conf not being honored?

Duane Howard duane.security at gmail.com
Fri Apr 3 16:43:24 UTC 2015 

This seems like a core thing to have broken. Is there no unit test for this?

On Tue, Mar 31, 2015 at 6:56 AM, Andreas Herz <andi at geekosphere.org> wrote:

> Hi,
>
> On 31/03/15 at 08:51, Barkley, Joey wrote:
> > I am having some trouble getting some rules suppressed in my
> > threshold.conf file. I have verified the file path in my suricata.yaml
> > file. I want to basically turn off certain rules for certain IPs. Here
> > is a sample of what I have in the file:
>
> suppress ist not working as intended at the moment, see the issues
> related to that:
>
> https://redmine.openinfosecfoundation.org/issues/1247
>
> https://redmine.openinfosecfoundation.org/issues/1243
>
>
> > # Suppress Nessus alerts for the nessus server...  suppress gen_id 1,
> > sig_id 2002664, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ET SCAN
> > Nessus User Agent suppress gen_id 1, sig_id 2102585, track by_src, ip
> > <IPADDRESS_TO_EXCLUDE> # GPL SCAN nessus 2.x 404 probe suppress gen_id
> > 1, sig_id 2803236, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ETPRO
> > SCAN Nessus Scanner UPNP Broadcast
> >
> > So I have one nessus scanner and I don’t want to log nessus traffic
> > from it. This is just one example. I have several other false
> > positives with certain systems but I want to keep the rules available
> > for logging for everything else.
> >
> > Am I messing up the syntax? I’ve searched and searched but all I can
> > find is some references to not being able to override “in rule limits”
> > and similar wording. Is it possible that this is what is happening
> > here? I find it hard to believe that I can’t suppress a rule for a
> > particular IP.
> >
> > Thanks for the help.
> >
> > Joey _______________________________________________ Suricata IDS
> > Users mailing list: oisf-users at openinfosecfoundation.org Site:
> > http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150403/6763802b/attachment.html>

More information about the Oisf-users mailing list