[Oisf-users] threshold.conf not being honored?

Barkley, Joey Joey.Barkley at ingramcontent.com
Fri Apr 3 18:25:55 UTC 2015


So would there be any way to workaround this by using event_filter or detection_filter? We have several cases on our network where we get lots of false positives for certain rules, but we don’t feel that the rules have no value at all. They just need to be suppressed (or whatever we want to call it) for a certain IP or set of IPs. Thoughts?


On Apr 3, 2015, at 11:44 AM, Duane Howard <duane.security at gmail.com<mailto:duane.security at gmail.com>> wrote:

Nevermind, just finished reading the threads about the deprecated state, etc. etc.

On Fri, Apr 3, 2015 at 9:43 AM, Duane Howard <duane.security at gmail.com<mailto:duane.security at gmail.com>> wrote:
This seems like a core thing to have broken. Is there no unit test for this?

On Tue, Mar 31, 2015 at 6:56 AM, Andreas Herz <andi at geekosphere.org<mailto:andi at geekosphere.org>> wrote:
Hi,

On 31/03/15 at 08:51, Barkley, Joey wrote:
> I am having some trouble getting some rules suppressed in my
> threshold.conf file. I have verified the file path in my suricata.yaml
> file. I want to basically turn off certain rules for certain IPs. Here
> is a sample of what I have in the file:

suppress ist not working as intended at the moment, see the issues
related to that:

https://redmine.openinfosecfoundation.org/issues/1247

https://redmine.openinfosecfoundation.org/issues/1243


> # Suppress Nessus alerts for the nessus server...  suppress gen_id 1,
> sig_id 2002664, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ET SCAN
> Nessus User Agent suppress gen_id 1, sig_id 2102585, track by_src, ip
> <IPADDRESS_TO_EXCLUDE> # GPL SCAN nessus 2.x 404 probe suppress gen_id
> 1, sig_id 2803236, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ETPRO
> SCAN Nessus Scanner UPNP Broadcast
>
> So I have one nessus scanner and I don’t want to log nessus traffic
> from it. This is just one example. I have several other false
> positives with certain systems but I want to keep the rules available
> for logging for everything else.
>
> Am I messing up the syntax? I’ve searched and searched but all I can
> find is some references to not being able to override “in rule limits”
> and similar wording. Is it possible that this is what is happening
> here? I find it hard to believe that I can’t suppress a rule for a
> particular IP.
>
> Thanks for the help.
>
> Joey _______________________________________________ Suricata IDS
> Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org> Site:
> http://suricata-ids.org<http://suricata-ids.org/> | Support: http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

--
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<http://suricata-ids.org/> | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150403/2a6e434f/attachment-0002.html>


More information about the Oisf-users mailing list