dougburks
commented
4 years ago Hi @Jdelgado-82 ,
For questions like this, please use our mailing list instead of this issue tracker: https://securityonion.readthedocs.io/en/latest/mailing-lists.html
Thanks!
I have been trying to get my thresholds to work properly. I Thought I was setting it up correctly but I am still getting alerts.
this is my /etc/nsm/rules/threshold.conf:
Suppression commands are standalone commands that reference generators and sids and IP addresses via a CIDR block (or IP list). This allows a rule to be completely suppressed, or suppressed when the causitive traffic is going to or comming from a specific IP or group of IP addresses.
Suppress this event completely:
suppress gen_id 1, sig_id 1852
Suppress this event from this IP:
suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54 Suppress this event to this CIDR block: suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
suppress gen_id 1, sig_id 2101411, track by_dst, ip 192.168.100.117 #GPL SNMP public access udp suppress gen_id 1, sig_id 2101411, track by_dst, ip 192.168.100.119 #GPL SNMP public access udp suppress gen_id 1, sig_id 2009702, track by_dst, ip 192.168.100.19 #DNS Update From External net
after that I do the
sudo nsm_sensor_ps-restart --only-snort-alert sudo rule-update
but I am still getting alerts for those IP's. any advice?