Project

General

Profile

Actions

Bug #967

closed

threshold rule clobbers suppress rules

Added by Darrell Enns over 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Adding a threshold rule clobbers any previous suppress rules. If this behavior is intended and not a bug, then it's highly counter-intuitive and should be clearly documented.

This works as expected (suppress alerts for 192.168.0.8 and limits other hosts to one alert per hour):

threshold gen_id 1, sig_id 2014726, type limit, track by_src, count 1, seconds 3600
suppress gen_id 1, sig_id 2014726, track by_src, ip 192.168.0.8

This does not suppress alerts for 192.168.0.8:

suppress gen_id 1, sig_id 2014726, track by_src, ip 192.168.0.8
threshold gen_id 1, sig_id 2014726, type limit, track by_src, count 1, seconds 3600

Actions

Also available in: Atom PDF