[Oisf-users] threshold.conf not being honored?
Andreas Herz
andi at geekosphere.org
Tue Mar 31 13:56:20 UTC 2015
Hi,
On 31/03/15 at 08:51, Barkley, Joey wrote:
> I am having some trouble getting some rules suppressed in my
> threshold.conf file. I have verified the file path in my suricata.yaml
> file. I want to basically turn off certain rules for certain IPs. Here
> is a sample of what I have in the file:
suppress ist not working as intended at the moment, see the issues
related to that:
https://redmine.openinfosecfoundation.org/issues/1247
https://redmine.openinfosecfoundation.org/issues/1243
> # Suppress Nessus alerts for the nessus server... suppress gen_id 1,
> sig_id 2002664, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ET SCAN
> Nessus User Agent suppress gen_id 1, sig_id 2102585, track by_src, ip
> <IPADDRESS_TO_EXCLUDE> # GPL SCAN nessus 2.x 404 probe suppress gen_id
> 1, sig_id 2803236, track by_src, ip <IPADDRESS_TO_EXCLUDE> # ETPRO
> SCAN Nessus Scanner UPNP Broadcast
>
> So I have one nessus scanner and I don’t want to log nessus traffic
> from it. This is just one example. I have several other false
> positives with certain systems but I want to keep the rules available
> for logging for everything else.
>
> Am I messing up the syntax? I’ve searched and searched but all I can
> find is some references to not being able to override “in rule limits”
> and similar wording. Is it possible that this is what is happening
> here? I find it hard to believe that I can’t suppress a rule for a
> particular IP.
>
> Thanks for the help.
>
> Joey _______________________________________________ Suricata IDS
> Users mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
--
Andreas Herz
More information about the Oisf-users
mailing list