[Oisf-users] threshold.conf not being honored?

Barkley, Joey Joey.Barkley at ingramcontent.com
Tue Mar 31 13:51:01 UTC 2015


I am having some trouble getting some rules suppressed in my threshold.conf file. I have verified the file path in my suricata.yaml file. I want to basically turn off certain rules for certain IPs. Here is a sample of what I have in the file:

# Suppress Nessus alerts for the nessus server...
suppress gen_id 1, sig_id 2002664, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ET SCAN Nessus User Agent
suppress gen_id 1, sig_id 2102585, track by_src, ip <IPADDRESS_TO_EXCLUDE> # GPL SCAN nessus 2.x 404 probe
suppress gen_id 1, sig_id 2803236, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ETPRO SCAN Nessus Scanner UPNP Broadcast

So I have one nessus scanner and I don’t want to log nessus traffic from it. This is just one example. I have several other false positives with certain systems but I want to keep the rules available for logging for everything else.

Am I messing up the syntax? I’ve searched and searched but all I can find is some references to not being able to override “in rule limits” and similar wording. Is it possible that this is what is happening here? I find it hard to believe that I can’t suppress a rule for a particular IP.

Thanks for the help.


More information about the Oisf-users mailing list