How do you write suppress rules for snort
-
Hi
I am trying to understand how i will write the suppress rules
example :1 3 ICMP ICMP PING Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:384:5 07/27-17:49:14
2 3 ICMP ICMP PING *NIX Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:366:7 07/27-17:49:14
3 3 ICMP ICMP PING BSDtype Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:368:6 07/27-17:49:14
4 3 ICMP ICMP PING Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:384:5 07/27-17:49:13
5 3 ICMP ICMP PING *NIX Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:366:7 07/27-17:49:13
6 3 ICMP ICMP PING BSDtype Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:368:6 07/27-17:49:13
7 3 ICMP ICMP PING Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:384:5 07/27-17:49:12I have added 33.33.33.33 in Whitelist , so that it does not block the IP 33.33.33.33
but i dont want to see this logs in Alerts file
so how will i write the suppress rulesI tried to write like this
suppress gen_id 1, sig_id 1852, track by_src, ip 33.33.33.33
then add this supress rules in Interface tab
but did not workso can you please tel me how to write the rules so that i dont see any log related to 33.33.33.33
thanks -
I think the sig_id doesn't match the log you've posted. It's the second number on the string, ie 1:384:5
So, you need to write:suppress gen_id 1, sig_id 384, track by_src, ip 33.33.33.33
suppress gen_id 1, sig_id 366, track by_src, ip 33.33.33.33
suppress gen_id 1, sig_id 368, track by_src, ip 33.33.33.33Also, you need to set up If Settings > Suppression and filtering option.
Check the Snort FAQ: http://forum.pfsense.org/index.php/topic,16847.0.html -
HI thanks
I will try this tomorrow morning then i will come back to you. I believed you showed me the right way. but still if i have any problem i will come back to you tomorrow.
thanks for your time and advise -
It would have been nice if something in the original post indicated it was related to snort :(
-
@danswartz
Thanks
I added Snort word with the question. -
@johnnybe
Thanks, yes that rules works
Now i can suppress necessary logs -