[Oisf-users] threshold.conf not being honored?
Duane Howard
duane.security at gmail.com
Fri Apr 3 16:44:41 UTC 2015
Nevermind, just finished reading the threads about the deprecated state,
etc. etc.
On Fri, Apr 3, 2015 at 9:43 AM, Duane Howard <duane.security at gmail.com>
wrote:
> This seems like a core thing to have broken. Is there no unit test for
> this?
>
> On Tue, Mar 31, 2015 at 6:56 AM, Andreas Herz <andi at geekosphere.org>
> wrote:
>
>> Hi,
>>
>> On 31/03/15 at 08:51, Barkley, Joey wrote:
>> > I am having some trouble getting some rules suppressed in my
>> > threshold.conf file. I have verified the file path in my suricata.yaml
>> > file. I want to basically turn off certain rules for certain IPs. Here
>> > is a sample of what I have in the file:
>>
>> suppress ist not working as intended at the moment, see the issues
>> related to that:
>>
>> https://redmine.openinfosecfoundation.org/issues/1247
>>
>> https://redmine.openinfosecfoundation.org/issues/1243
>>
>>
>> > # Suppress Nessus alerts for the nessus server... suppress gen_id 1,
>> > sig_id 2002664, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ET SCAN
>> > Nessus User Agent suppress gen_id 1, sig_id 2102585, track by_src, ip
>> > <IPADDRESS_TO_EXCLUDE> # GPL SCAN nessus 2.x 404 probe suppress gen_id
>> > 1, sig_id 2803236, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ETPRO
>> > SCAN Nessus Scanner UPNP Broadcast
>> >
>> > So I have one nessus scanner and I don’t want to log nessus traffic
>> > from it. This is just one example. I have several other false
>> > positives with certain systems but I want to keep the rules available
>> > for logging for everything else.
>> >
>> > Am I messing up the syntax? I’ve searched and searched but all I can
>> > find is some references to not being able to override “in rule limits”
>> > and similar wording. Is it possible that this is what is happening
>> > here? I find it hard to believe that I can’t suppress a rule for a
>> > particular IP.
>> >
>> > Thanks for the help.
>> >
>> > Joey _______________________________________________ Suricata IDS
>> > Users mailing list: oisf-users at openinfosecfoundation.org Site:
>> > http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Training now available: http://suricata-ids.org/training/
>>
>> --
>> Andreas Herz
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150403/3e6f5615/attachment-0002.html>
More information about the Oisf-users
mailing list