[Oisf-users] Question about thresholds
Michał Purzyński
michalpurzynski1 at gmail.com
Tue Oct 2 14:07:54 UTC 2018
Take a look at pass rules for that
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic
> On Oct 2, 2018, at 3:49 PM, Carlos Lopez <clopmz at outlook.com> wrote:
>
> Thanks Michal .. And is it possible to disable all alerts from a specific IP address? for example:
>
> suppress gen_id 0, sig_id 0, track by_src, ip 192.168.1.1
>
> Regards,
> C. L. Martinez
> ________________________________________
> From: Michał Purzyński <michalpurzynski1 at gmail.com>
> Sent: 02 October 2018 13:39
> To: Carlos Lopez
> Cc: Open Information Security Foundation
> Subject: Re: [Oisf-users] Question about thresholds
>
> A real world example that seems to work here
>
>
> suppress gen_id 1, sig_id 2002027, track by_dst, ip [10.22.22.0/24,10.22.11.0/24,2620:1111:1111:1111::/64<http: 10.22.22.0="" 24,10.22.11.0="" 24,2620:1111:1111:1111::="" 64="">]
>
> On Tue, Oct 2, 2018 at 1:18 PM Carlos Lopez <clopmz at outlook.com<mailto:clopmz at outlook.com>> wrote:
> Hi all,
>
> Maybe it is a stupid question, but is it not possible to configure a CIDR network to supress some alerts via threshold.conf?, for example:
>
> suppress gen_id 1, sig_id 2101201, track by_src, ip 192.168.1.0/24<http: 192.168.1.0="" 24="">
>
> If not, what can be the best strategy to accomplish this?
>
> Regards,
> C. L. Martinez
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
> </mailto:oisf-users at openinfosecfoundation.org></http:></clopmz at outlook.com<mailto:clopmz at outlook.com></http:></michalpurzynski1 at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181002/aee184ae/attachment-0001.html>
More information about the Oisf-users
mailing list