CIDR in suppress list not showing in Alerts pane
-
At present, when specifying a src\dst host IP for a suppress list entry, this is indicated with any alert for that SID by replacing the small "+" sign (located under the 2nd octet) with a small checkbox. When specifying a CIDR block instead of a host IP, no such checkbox is shown and the "+" sign remains thereby not indicating that a suppress entry exists for that SID.
Can this be changed so that the checkbox is shown when either a host IP or subnet are provided in the suppress list?
-
Nope, suppress the host entry then edit the suppress list after to changing it to the subnet/cidr.
#ET MALWARE User-Agent (Mozilla/4.0 (compatible)) - muso BBC iPlayer
suppress gen_id 1, sig_id 2008974, track by_dst, ip 23.192.162.0/24
-
Thx but it's apparent you didn't understand what I was asking\suggesting...please re-read and ask me if you need clarification. Otherwise, I'm sure someone else will be able to address my questions...
-
I understand exactly what your saying, you cant do what you want, it's not in the Snort GUI.
Snort sees the alert from an IP address not a subnet.
The only way to do it is edit the suppress entry after creating it with the src or dst being an IP address NOT a subnet.
If you want to change the way the GUI works create a feature request in redmine:-
https://redmine.pfsense.org/projects/pfsense
Bill Meeks is the Snort / Suricata guy.
-
No - you clearly do not understand what I am asking. I'm not asking for any change in the suppress rule addition function and nowhere in my OP does it indicate that. What I am asking about is strictly a GUI symbol visibility change.
For some unknown reason, you seem to think I am asking for subnet suppress rule to be added - no idea where you're getting that but again, not remotely my question...
And of course it's possible because the system at present checks against subnet rules - so that logic is already there. All that would need to be done is tell the GUI to indicate when a subnet rule applies to a given alert exactly the same way as it does right now for a host rule.
-
Put a request in via redmine then, thats the correct method to get changes.
-
@nogbadthebad I wanna assume good faith here and that you're trying to help - but please try and not fall into the trap of first failing to read the OP, then insisting on a non-solution, followed by complete ignoring the OP altogether. I understand how to submit FRs - not my purpose here. Simply ignore the thread if you have nothing assistive to add.
Thanks.