Snort: Block but don't show alert?

LeiShen · Mar 24, 2022, 2:44 AM

Could not find a Snort category to post this in, so hope this one is OK.

I want to not show certain Alerts in Snort on the Dashboard, but still have Snort block it. From the Snort docs, it appears that if I Suppress an Alert it will also stop blocking it:

"When an alert is suppressed, then Snort no longer logs an alert entry (or blocks the IP address if block offenders is enabled) when a particular rule fires."

I want it to still block the IP address, just not fill up my Log with all these alerts:

1:58853 SERVER-OTHER RealTek UDPServer command injection attempt

I can't find a way to do this - probably because I don't know how to phrase the search.

Ideas?
Thanks.

bmeeks · Mar 24, 2022, 3:00 AM

You can't do this. It's just not how the blocking module works. You can threshold alerts, but if the alert does not fire, then the traffic will not get blocked. The Legacy Mode blocking module works from triggered alerts. It is not separate from alerts. Or stated another way, you can't "not get the alert" but "still get the block".

In the future, the best place to post questions about Snort (or Suricata) is in the IDS/IPS Forum here: https://forum.netgate.com/category/53/ids-ips.

LeiShen · Mar 24, 2022, 3:02 AM

@bmeeks : Bummer. But I understand now. Thanks!