Project

General

Profile

Download (1.07 KB)

Bug #366 » threshold.config

Peter Manev, 11/02/2011 03:48 AM

 
suppress gen_id 1, sig_id 5001684, track by_dst, ip 192.168.137.19
suppress gen_id 1, sig_id 5001684, track by_dst, ip 192.168.137.20
#with the above 2 rules, if enabled both at the same time - it does not work as supposed (does not suppress the alert)
# if we enable only one (or change the sig_id of one of the rules), it does work (alerts are suppressed) - the same situation below with "trck by_src"


#if you enable both of the rules below - an alert would be generated with suppresstest.pcap (although it should not)
#if it is only one suppress rule enabled (82.96.58.41) - it works as expected
#suppress gen_id 1, sig_id 5001684, track by_src, ip 82.96.58.41
#suppress gen_id 1, sig_id 5001684, track by_src, ip 5.5.5.5


# with both below rules enabled - suricata works as expected (notice the difference between the sid_id)
#suppress gen_id 1, sig_id 1234567, track by_src, ip 5.5.5.5
#suppress gen_id 1, sig_id 5001684, track by_src, ip 82.96.58.41

# so it actually (judging by the tests) comes down to the same sig_id value, if you have it more than once, it seems it is not working
(6-6/9)