[resolved] snort openappid alert limit



  • Hello, is it possible to reduce the number of alerts for an app to once per minute ? For example, I browse to www.netflix.com and the log fills up with 30+ alerts saying "netflix". Is there a way to limit it to 1 alert per minute ?

    Thanks



  • You can use Suppress rules to take care of this. You need to have the GID:SID of the OpenAppID rule you want to rate limit. You can't just click through this in the GUI, though. You will have to manually edit the Suppress List for the interface on the SUPPRESS tab. You can find examples for rate limiting on the web via a Google search.



  • Found a solution in this suppress rule:

    event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 10

    seems to be applied to all gid/sid.



  • @Actionhenk said in [resolved] snort openappid alert limit:

    Found a solution in this suppress rule:

    event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 10

    seems to be applied to all gid/sid.

    If you want it to apply to just a single rule, then change the sid_id field to match the value of the SID for the offending rule. SID is short for "Signature ID", and is a unique value assigned to each rule. Rules are identified by their "Generator ID" (GID) and "Signature ID" (SID). The GID is usually 1 unless the rule is associated with a handful of special Snort preprocessors. In that case, the GID will be a 3-digit number.


Log in to reply