Snort - How to Supress priority "3" events
-
Hello,
I'm running pfSense 2.0.1 and just installed Snort. I love the autoblocking feature however Snort picks up on events that really are just warnings and then blocks the hosts IP, etc. I know I can suppress the individual events so they are flagged in the future but I'm looking for the magic syntax to drop into the suppress dialog to skip say priority "3" events that I really don't care about. This would allow for me to leave the system automatically blocking the real threats and simply skip the warnings.
Anyone know how to do this or otherwise have any other ways of accomplishing? As stated above I don't want to create separate individual suppress statements for each event that accidentally gets captured I'm simply looking for a way to only pick up on priority 1 and 2 events.
Thank you!!
-Justin -
Nobody has any insight on this?
-
Well, I am faced with the same problem. Therefore I dont dare to activate the blocking feature in pfsense snort. The only thing you can do is to go through ALL the rules an activate only those which are relevant to your network (i.e. disable rules for INFO, POLICY, and so on). If there are still alerts you have to add them to the suppress list and unblock affected hosts.