4. CIDR in suppress list not showing in Alerts pane

CIDR in suppress list not showing in Alerts pane

  • C

    At present, when specifying a src\dst host IP for a suppress list entry, this is indicated with any alert for that SID by replacing the small "+" sign (located under the 2nd octet) with a small checkbox. When specifying a CIDR block instead of a host IP, no such checkbox is shown and the "+" sign remains thereby not indicating that a suppress entry exists for that SID.

    Can this be changed so that the checkbox is shown when either a host IP or subnet are provided in the suppress list?

    0
  • Galactic Empire

    Nope, suppress the host entry then edit the suppress list after to changing it to the subnet/cidr.

    #ET MALWARE User-Agent (Mozilla/4.0 (compatible)) - muso BBC iPlayer
    suppress gen_id 1, sig_id 2008974, track by_dst, ip 23.192.162.0/24

    0
  • C

    Thx but it's apparent you didn't understand what I was asking\suggesting...please re-read and ask me if you need clarification. Otherwise, I'm sure someone else will be able to address my questions...

    0
  • Galactic Empire

    I understand exactly what your saying, you cant do what you want, it's not in the Snort GUI.

    Snort sees the alert from an IP address not a subnet.

    The only way to do it is edit the suppress entry after creating it with the src or dst being an IP address NOT a subnet.

    If you want to change the way the GUI works create a feature request in redmine:-

    https://redmine.pfsense.org/projects/pfsense

    Bill Meeks is the Snort / Suricata guy.

    0
  • C

    No - you clearly do not understand what I am asking. I'm not asking for any change in the suppress rule addition function and nowhere in my OP does it indicate that. What I am asking about is strictly a GUI symbol visibility change.

    For some unknown reason, you seem to think I am asking for subnet suppress rule to be added - no idea where you're getting that but again, not remotely my question...

    And of course it's possible because the system at present checks against subnet rules - so that logic is already there. All that would need to be done is tell the GUI to indicate when a subnet rule applies to a given alert exactly the same way as it does right now for a host rule.

    0
  • Galactic Empire

    Put a request in via redmine then, thats the correct method to get changes.

    0
    C
     1 Reply
  • C

    @nogbadthebad I wanna assume good faith here and that you're trying to help - but please try and not fall into the trap of first failing to read the OP, then insisting on a non-solution, followed by complete ignoring the OP altogether. I understand how to submit FRs - not my purpose here. Simply ignore the thread if you have nothing assistive to add.

    Thanks.

    0
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy