Snort mailing list archives
Re: Event Suppression between specific Source and Destination
From: Guido Hungerbuehler <guh () open ch>
Date: Fri, 14 Dec 2012 16:30:45 +0100
Hi Joel Thanks for your feedback. But unfortunately this doesn't work in my opinion. Assume I have Host A and Host B and I want to suppress a signature if and only if traffic goes from Host A to Host B. If I create two suppress rules e.g. Suppress if originating from A and Suppress if destination is B Then the signature is also suppressed for any other destination than B for a packet originating in A. And it is also suppressed for any other source than A for a packet with destination B. On 12/14/2012 04:20 PM, Joel Esler wrote:
On Fri, Dec 14, 2012 at 11:04:23AM +0100, Guido Hungerbuehler wrote:Hi I am running snort with alert-before-log configuration (it is necessary). How can I suppress a signature between two specific hosts? With the 'Event Suppression' configuration it is only possible to select either track by_src or track by_dst. The next question is: Why is this even like this for 'Event Suppression'? I already searched the mailing-list archive because I think this issue has to be discussed earlier but I didn't find any information. Thanks for your help.If you suppress it in one direction, then you won't see the alert. If you bi directional traffic that you want to suppress, you need to create two suppressions -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Event Suppression between specific Source and Destination Guido Hungerbuehler (Dec 14)
- Re: Event Suppression between specific Source and Destination Joel Esler (Dec 14)
- Re: Event Suppression between specific Source and Destination Guido Hungerbuehler (Dec 14)
- Re: Event Suppression between specific Source and Destination Joel Esler (Dec 14)
- Re: Event Suppression between specific Source and Destination Guido Hungerbuehler (Dec 14)
- Re: Event Suppression between specific Source and Destination Joel Esler (Dec 14)
- Re: Event Suppression between specific Source and Destination Guido Hungerbuehler (Dec 14)
- Re: Event Suppression between specific Source and Destination waldo kitty (Dec 14)
- Re: Event Suppression between specific Source and Destination Jeremy Hoel (Dec 14)
- Re: Event Suppression between specific Source and Destination Tony Robinson (Dec 15)
- Re: Event Suppression between specific Source and Destination Jeremy Hoel (Dec 15)
- Re: Event Suppression between specific Source and Destination Guido Hungerbuehler (Dec 14)
- Re: Event Suppression between specific Source and Destination Joel Esler (Dec 14)