Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort - Suppression Tutorial - (How to get rid of annoying alerts)

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      moh10ly
      last edited by

      Hello Guys,

      I thought of creating a small tutorial for people who have problem with false positive alerts or websites they wanna visit and don't get alerts from, using suppression option/list.

      here's a link document with snapshots to the tutorial.
      http://sdrv.ms/QMrOFz

      Please if it has any technical/grammatical mistakes do let me know  ;D

      let me know if it was useful to you so I continue to write.

      Thanks
      Mohammed JH

      Power is Knowledge.

      1 Reply Last reply Reply Quote 0
      • K
        kilthro
        last edited by

        Overall great start! :-) I would point out that they have to click the + sign next to the rule in the sid box to add it to a surpress list (this will put the discription and surpressed id automatically.).. Also, it may be note worthy to show in the settings of the interface how to enable the supress list and the pull down to select the supress list. I am not sure since I have had mine set up from back in the manual days of doing things, that on the new version of snort if there is no surpress list set up, that if you click the +, will snort automatically create a custom surpress list, add the sid ect to it, and finally telll the interface to use the newly created list.

        When i set mine up, it was all manual and i had to create that and change the settings myself, so even if it is automated it may be good to add those screenshots to the walkthrough so people know how to maunally check to see if the interface is actively using it. Or maybe in the event they no longer want the interface to use that surpress list.

        Other than that, thanks for putting that together. I am sure it will help some new users to snort.

        1 Reply Last reply Reply Quote 0
        • M
          moh10ly
          last edited by

          Yeah I noticed later that there's an option for suppression in the new package  :-[ but in general it add up to our knowledge as you said esp for newbies.  ;D

          Power is Knowledge.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.