Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CIDR in suppress list not showing in Alerts pane

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyberzeus
      last edited by

      At present, when specifying a src\dst host IP for a suppress list entry, this is indicated with any alert for that SID by replacing the small "+" sign (located under the 2nd octet) with a small checkbox. When specifying a CIDR block instead of a host IP, no such checkbox is shown and the "+" sign remains thereby not indicating that a suppress entry exists for that SID.

      Can this be changed so that the checkbox is shown when either a host IP or subnet are provided in the suppress list?

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        Nope, suppress the host entry then edit the suppress list after to changing it to the subnet/cidr.

        #ET MALWARE User-Agent (Mozilla/4.0 (compatible)) - muso BBC iPlayer
        suppress gen_id 1, sig_id 2008974, track by_dst, ip 23.192.162.0/24

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • C
          cyberzeus
          last edited by

          Thx but it's apparent you didn't understand what I was asking\suggesting...please re-read and ask me if you need clarification. Otherwise, I'm sure someone else will be able to address my questions...

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by NogBadTheBad

            I understand exactly what your saying, you cant do what you want, it's not in the Snort GUI.

            Snort sees the alert from an IP address not a subnet.

            The only way to do it is edit the suppress entry after creating it with the src or dst being an IP address NOT a subnet.

            If you want to change the way the GUI works create a feature request in redmine:-

            https://redmine.pfsense.org/projects/pfsense

            Bill Meeks is the Snort / Suricata guy.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • C
              cyberzeus
              last edited by cyberzeus

              No - you clearly do not understand what I am asking. I'm not asking for any change in the suppress rule addition function and nowhere in my OP does it indicate that. What I am asking about is strictly a GUI symbol visibility change.

              For some unknown reason, you seem to think I am asking for subnet suppress rule to be added - no idea where you're getting that but again, not remotely my question...

              And of course it's possible because the system at present checks against subnet rules - so that logic is already there. All that would need to be done is tell the GUI to indicate when a subnet rule applies to a given alert exactly the same way as it does right now for a host rule.

              1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad
                last edited by

                Put a request in via redmine then, thats the correct method to get changes.

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                C 1 Reply Last reply Reply Quote 0
                • C
                  cyberzeus @NogBadTheBad
                  last edited by cyberzeus

                  @nogbadthebad I wanna assume good faith here and that you're trying to help - but please try and not fall into the trap of first failing to read the OP, then insisting on a non-solution, followed by complete ignoring the OP altogether. I understand how to submit FRs - not my purpose here. Simply ignore the thread if you have nothing assistive to add.

                  Thanks.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.