How do you write suppress rules for snort

fosiul

Hi
I am trying to understand how i will write the suppress rules
example :

1   3   ICMP   ICMP PING   Misc activity   33.33.33.33   empty   ->   192.168.88.1   empty   1:384:5   07/27-17:49:14
2 3 ICMP ICMP PING *NIX Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:366:7 07/27-17:49:14
3 3 ICMP ICMP PING BSDtype Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:368:6 07/27-17:49:14
4 3 ICMP ICMP PING Misc activity 33.33.33.33   empty -> 192.168.88.1 empty 1:384:5 07/27-17:49:13
5 3 ICMP ICMP PING *NIX Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:366:7 07/27-17:49:13
6 3 ICMP ICMP PING BSDtype Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:368:6 07/27-17:49:13
7 3 ICMP ICMP PING Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:384:5 07/27-17:49:12

I have added 33.33.33.33 in Whitelist , so that it does not block the IP 33.33.33.33

but i dont want to see this logs in Alerts file
so how will i write the suppress rules

I tried to write like this

suppress gen_id 1, sig_id 1852, track by_src, ip 33.33.33.33

then add this supress rules in Interface tab
but did not work

so can you please tel me how to write the rules so that i dont see any log related to 33.33.33.33
thanks

johnnybe

I think the sig_id doesn't match the log you've posted. It's the second number on the string, ie 1:384:5
So, you need to write:

suppress gen_id 1, sig_id 384, track by_src, ip 33.33.33.33
suppress gen_id 1, sig_id 366, track by_src, ip 33.33.33.33
suppress gen_id 1, sig_id 368, track by_src, ip 33.33.33.33

Also, you need to set up If Settings > Suppression and filtering option.
Check the Snort FAQ: http://forum.pfsense.org/index.php/topic,16847.0.html

fosiul

HI thanks
I will try this tomorrow morning then i will come back to you. I believed you showed me the right way. but still if i have any problem i will come back to you tomorrow.
thanks for your time and advise

danswartz

It would have been nice if something in the original post indicated it was related to snort :(

fosiul

@danswartz
Thanks
I added Snort word with the question.

fosiul

@johnnybe
Thanks, yes that rules works
Now i can suppress necessary logs

johnnybe

@fosiul:

@johnnybe
Thanks, yes that rules works
Now i can suppress necessary logs

Well, you know… you should say thanks to jamesdean. He made the Snort package FAQ.
Thats where I've learnt.
You're welcome, whatsoever.