| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
Next: 2.4 Snort Multi-Event Logging Up: 2. Configuring Snort Previous: 2.2 Event Thresholding Contents
Subsections
2.3 Event Suppression
Event suppression stops specified events from firing without removing the rule from the rule base. Suppression uses a CIDR block notation to select specific networks and users for suppression. Suppression tests are performed prior to either standard or global thresholding tests.Suppression commands are standalone commands that reference generators, SIDs, and IP addresses via a CIDR block. This allows a rule to be completely suppressed, or suppressed when the causative traffic is going to or coming from a specific IP or group of IP addresses.
You may apply multiple suppression commands to a SID. You may also combine one threshold command and several suppression commands to the same SID.
2.3.1 Format
The suppress command supports either 2 or 4 options, as described in Table ![[*]](crossref.png)
.
generator id
suppress gen_id <gen-id>, sid_id <sid-id>, \
track <by_src|by_dst>, ip <ip|mask-bits>
2.3.2 Examples
Suppress this event completely:Suppress gen_id 1, sig_id 1852:
Suppress this event from this IP:
suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
Suppress this event to this CIDR block:
suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
Next: 2.4 Snort Multi-Event Logging Up: 2. Configuring Snort Previous: 2.2 Event Thresholding Contents
| site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |