next up previous contents
Next: 2.4 Snort Multi-Event Logging Up: 2. Configuring Snort Previous: 2.2 Event Thresholding   Contents

Subsections

2.3 Event Suppression

Event suppression stops specified events from firing without removing the rule from the rule base. Suppression uses a CIDR block notation to select specific networks and users for suppression. Suppression tests are performed prior to either standard or global thresholding tests.

Suppression commands are standalone commands that reference generators, SIDs, and IP addresses via a CIDR block. This allows a rule to be completely suppressed, or suppressed when the causative traffic is going to or coming from a specific IP or group of IP addresses.

You may apply multiple suppression commands to a SID. You may also combine one threshold command and several suppression commands to the same SID.

2.3.1 Format

The suppress command supports either 2 or 4 options, as described in Table [*].


Table: Suppression Options
Option Argument Required?
gen_id $<$generator id$>$ required
sig_id $<$Snort signature id$>$ required
track by_src or by_dst optional, requires ip
ip ip[/mask] optional, requires track

suppress gen_id <gen-id>, sid_id <sid-id>, \
    track <by_src|by_dst>, ip <ip|mask-bits>

2.3.2 Examples

Suppress this event completely:
Suppress gen_id 1, sig_id 1852:

Suppress this event from this IP:

suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54

Suppress this event to this CIDR block:

suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24


next up previous contents
Next: 2.4 Snort Multi-Event Logging Up: 2. Configuring Snort Previous: 2.2 Event Thresholding   Contents