Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort - How to Supress priority "3" events

    pfSense Packages
    2
    3
    1594
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jrmitchell83
      last edited by

      Hello,

      I'm running pfSense 2.0.1 and just installed Snort. I love the autoblocking feature however Snort picks up on events that really are just warnings and then blocks the hosts IP, etc. I know I can suppress the individual events so they are flagged in the future but I'm looking for the magic syntax to drop into the suppress dialog to skip say priority "3" events that I really don't care about. This would allow for me to leave the system automatically blocking the real threats and simply skip the warnings.

      Anyone know how to do this or otherwise have any other ways of accomplishing? As stated above I don't want to create separate individual suppress statements for each event that accidentally gets captured I'm simply looking for a way to only pick up on priority 1 and 2 events.

      Thank you!!
      -Justin

      1 Reply Last reply Reply Quote 0
      • J
        jrmitchell83
        last edited by

        Nobody has any insight on this?

        1 Reply Last reply Reply Quote 0
        • M
          moe2006
          last edited by

          Well, I am faced with the same problem. Therefore I dont dare to activate the blocking feature in pfsense snort. The only thing you can do is to go through ALL the rules an activate only those which are relevant to your network (i.e. disable rules for INFO, POLICY, and so on). If there are still alerts you have to add them to the suppress list and unblock affected hosts.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post