# Configure Thresholding and Suppression # ====================================== # # The threshold command is deprecated. Use detection_filter for thresholds # within a rule and event_filter for standalone threshold configurations. # Please see README.filters for more information on filters. # # Thresholding: # # This feature is used to reduce the number of logged alerts for noisy rules. # This can be tuned to significantly reduce false alarms, and it can also be # used to write a newer breed of rules. Thresholding commands limit the number # of times a particular event is logged during a specified time interval. # # There are 3 types of event_filters: # # 1) Limit # Alert on the 1st M events during the time interval, then ignore # events for the rest of the time interval. # # 2) Threshold # Alert every M times we see this event during the time interval. # # 3) Both # Alert once per time interval after seeing M occurrences of the # event, then ignore any additional events during the time interval. # # Threshold commands are formatted as: # # event_filter gen_id gen-id, sig_id sig-id, \ # type limit|threshold|both, track by_src|by_dst, \ # count n , seconds m # # Limit to logging 1 event per 60 seconds: # # event_filter gen_id 1, sig_id 1851, type limit, \ # track by_src, count 1, seconds 60 # # Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering # each rule (rules are gen_id 1): # # event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60 # # Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering # any alert for any event generator: # # event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60 # # Suppression: # # Suppression commands are standalone commands that reference generators and # sids and IP addresses via a CIDR block (or IP list). This allows a rule to be # completely suppressed, or suppressed when the causitive traffic is going to # or comming from a specific IP or group of IP addresses. # # Suppress this event completely: # # suppress gen_id 1, sig_id 1852 # # Suppress this event from this IP: # # suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54 # # Suppress this event to this CIDR block: # # suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24 # # working example from iggbsd2 snort: #suppress gen_id 122, sig_id 17, track by_src, ip 172.16.0.2 # Sometimes I idle in IRC suppress gen_id 1, sig_id 2404152, track by_src, ip 192.168.2.2 suppress gen_id 1, sig_id 2404154, track by_src, ip 192.168.2.2 suppress gen_id 1, sig_id 2002026, track by_src, ip 192.168.2.2 #apt updates suppress gen_id 1, sig_id 2013031, track by_src, ip 192.168.2.2 suppress gen_id 1, sig_id 2013031, track by_src, ip 192.168.2.3 suppress gen_id 1, sig_id 2013031, track by_src, ip 192.168.2.216 # nerds play wow, fires on launcher.exe suppress gen_id 1, sig_id 2010645, track by_dst, ip 12.129.222.51 # #### # torrent related false positives #### suppress gen_id 1, sig_id 2406000, track by_src, ip 108.59.1.205 suppress gen_id 1, sig_id 2406001, track by_src, ip 108.59.1.205