[Oisf-users] threshold.conf not being honored?

Andreas Herz andi at geekosphere.org
Tue Mar 31 13:56:20 UTC 2015


On 31/03/15 at 08:51, Barkley, Joey wrote:
> I am having some trouble getting some rules suppressed in my
> threshold.conf file. I have verified the file path in my suricata.yaml
> file. I want to basically turn off certain rules for certain IPs. Here
> is a sample of what I have in the file:

suppress ist not working as intended at the moment, see the issues
related to that:



> # Suppress Nessus alerts for the nessus server...  suppress gen_id 1,
> sig_id 2002664, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ET SCAN
> Nessus User Agent suppress gen_id 1, sig_id 2102585, track by_src, ip
> <IPADDRESS_TO_EXCLUDE> # GPL SCAN nessus 2.x 404 probe suppress gen_id
> 1, sig_id 2803236, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ETPRO
> SCAN Nessus Scanner UPNP Broadcast
> So I have one nessus scanner and I don’t want to log nessus traffic
> from it. This is just one example. I have several other false
> positives with certain systems but I want to keep the rules available
> for logging for everything else.
> Am I messing up the syntax? I’ve searched and searched but all I can
> find is some references to not being able to override “in rule limits”
> and similar wording. Is it possible that this is what is happening
> here? I find it hard to believe that I can’t suppress a rule for a
> particular IP.
> Thanks for the help.
> Joey _______________________________________________ Suricata IDS
> Users mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

Andreas Herz

More information about the Oisf-users mailing list