Snort: Blocking traffic on some SIDs but don't add an entry to the Alert Log



  • Hi All,

    I've been using snort for about a year and have a nice set of rules and supressions applied.

    I'm using the Emerging threats rules and my Alerts log is mostly filled with Poor Reputation alerts like "ET CINS Active Threat Intelligence Poor Reputation IP TCP group" but I would like to no longer see those entries in the Alerts, but still continue to have Snort block them. Is this possible? I've read through the Snort FAQ on filters, but that does not seem to be quite what I'm looking for.

    Any ideas?

    TIA,
    Vidmo



  • @Vidmo:

    Hi All,

    I've been using snort for about a year and have a nice set of rules and supressions applied.

    I'm using the Emerging threats rules and my Alerts log is mostly filled with Poor Reputation alerts like "ET CINS Active Threat Intelligence Poor Reputation IP TCP group" but I would like to no longer see those entries in the Alerts, but still continue to have Snort block them. Is this possible? I've read through the Snort FAQ on filters, but that does not seem to be quite what I'm looking for.

    Any ideas?

    TIA,
    Vidmo

    No, it is not currently possible to filter out the alerts and still have them blocked.  You can filter the results shown on the ALERTS tab, but the actual alert text will still be in the log file, and you would have to manually reapply the filter each time you opened the ALERTS tab.

    Bill