<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!--Converted with LaTeX2HTML 2002-2-1 (1.71)
original version by: Nikos Drakos, CBLU, University of Leeds
* revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>2.3 Event Suppression</TITLE>
<META NAME="description" CONTENT="2.3 Event Suppression">
<META NAME="keywords" CONTENT="snort_manual">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v2002-2-1">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
<LINK REL="STYLESHEET" HREF="snort_manual.css">
<LINK REL="next" HREF="node14.html">
<LINK REL="previous" HREF="node12.html">
<LINK REL="up" HREF="node10.html">
<LINK REL="next" HREF="node14.html">
</HEAD>
<BODY >
<!--Navigation Panel-->
<A NAME="tex2html502"
HREF="node14.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
<A NAME="tex2html498"
HREF="node10.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
<A NAME="tex2html492"
HREF="node12.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
<A NAME="tex2html500"
HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>
<BR>
<B> Next:</B> <A NAME="tex2html503"
HREF="node14.html">2.4 Snort Multi-Event Logging</A>
<B> Up:</B> <A NAME="tex2html499"
HREF="node10.html">2. Configuring Snort</A>
<B> Previous:</B> <A NAME="tex2html493"
HREF="node12.html">2.2 Event Thresholding</A>
<B> <A NAME="tex2html501"
HREF="node1.html">Contents</A></B>
<BR>
<BR>
<!--End of Navigation Panel-->
<!--Table of Child-Links-->
<A NAME="CHILD_LINKS"><STRONG>Subsections</STRONG></A>
<UL>
<LI><A NAME="tex2html504"
HREF="node13.html#SECTION00331000000000000000">2.3.1 Format</A>
<LI><A NAME="tex2html505"
HREF="node13.html#SECTION00332000000000000000">2.3.2 Examples</A>
</UL>
<!--End of Table of Child-Links-->
<HR>
<H1><A NAME="SECTION00330000000000000000">
2.3 Event Suppression</A>
</H1>
Event suppression stops specified events from firing without removing the rule
from the rule base. Suppression uses a CIDR block notation to select specific
networks and users for suppression. Suppression tests are performed prior to
either standard or global thresholding tests.
<P>
Suppression commands are standalone commands that reference generators, SIDs,
and IP addresses via a CIDR block. This allows a rule to be completely
suppressed, or suppressed when the causative traffic is going to or coming
from a specific IP or group of IP addresses.
<P>
You may apply multiple suppression commands to a SID. You may also combine one
threshold command and several suppression commands to the same SID.
<P>
<H2><A NAME="SECTION00331000000000000000">
2.3.1 Format</A>
</H2>
<P>
The suppress command supports either 2 or 4 options, as described in Table <A HREF="#suppression_options"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>.
<P>
<BR><P></P>
<DIV ALIGN="CENTER">
<DIV ALIGN="CENTER">
<A NAME="2163"></A>
<TABLE CELLPADDING=3 BORDER="1">
<CAPTION><STRONG>Table:</STRONG>
Suppression Options</CAPTION>
<TR><TH ALIGN="LEFT"><B>Option</B></TH>
<TH ALIGN="LEFT" VALIGN="TOP" WIDTH=252><B>Argument</B></TH>
<TH ALIGN="LEFT"><B>Required?</B></TH>
</TR>
<TR><TD ALIGN="LEFT"><TT>gen_id</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=252><IMG
WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
SRC="img1.png"
ALT="$<$">generator id<IMG
WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
SRC="img2.png"
ALT="$>$"></TD>
<TD ALIGN="LEFT">required</TD>
</TR>
<TR><TD ALIGN="LEFT"><TT>sig_id</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=252><IMG
WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
SRC="img1.png"
ALT="$<$">Snort signature id<IMG
WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
SRC="img2.png"
ALT="$>$"></TD>
<TD ALIGN="LEFT">required</TD>
</TR>
<TR><TD ALIGN="LEFT"><TT>track</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=252><TT>by_src</TT> or <TT>by_dst</TT></TD>
<TD ALIGN="LEFT">optional, requires ip</TD>
</TR>
<TR><TD ALIGN="LEFT"><TT>ip</TT></TD>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH=252>ip[/mask]</TD>
<TD ALIGN="LEFT">optional, requires track</TD>
</TR>
</TABLE>
</DIV>
</DIV>
<BR>
<P>
<PRE>
suppress gen_id <gen-id>, sid_id <sid-id>, \
track <by_src|by_dst>, ip <ip|mask-bits>
</PRE>
<P>
<H2><A NAME="SECTION00332000000000000000">
2.3.2 Examples</A>
</H2>
Suppress this event completely:
<PRE>
Suppress gen_id 1, sig_id 1852:
</PRE>
<P>
Suppress this event from this IP:
<PRE>
suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
</PRE>
<P>
Suppress this event to this CIDR block:
<PRE>
suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
</PRE>
<P>
<HR>
<!--Navigation Panel-->
<A NAME="tex2html502"
HREF="node14.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
<A NAME="tex2html498"
HREF="node10.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
<A NAME="tex2html492"
HREF="node12.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
<A NAME="tex2html500"
HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>
<BR>
<B> Next:</B> <A NAME="tex2html503"
HREF="node14.html">2.4 Snort Multi-Event Logging</A>
<B> Up:</B> <A NAME="tex2html499"
HREF="node10.html">2. Configuring Snort</A>
<B> Previous:</B> <A NAME="tex2html493"
HREF="node12.html">2.2 Event Thresholding</A>
<B> <A NAME="tex2html501"
HREF="node1.html">Contents</A></B>
<!--End of Navigation Panel-->
</BODY>
</HTML>
