Suricata suppress rules based on combination of source- and destination-IP?

[ejgh-oe]

Version

2.4.40

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

500

Storage for /nsm

500

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Suricata threshold rules allows suppressing alerts based on e.g. source-ip, destination-ip etc. (ref https://onion-mgr/docs/managing-alerts.html#managing-alerts pointing to https://docs.suricata.io/en/suricata-6.0.0/configuration/global-thresholds.html) which is a very cool feature in order to keep false positives down.

According the the Suricata-manual (link see above), the syntax is

suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst|by_either>, ip <ip|subnet|addressvar>

My question: is it possible to have an suppress rule based on the combination of source- and destination IP? Something like "suppress alert if source is 192.168.4.12 and destination is 192.168.12.44"?

Thanks much in advance for any clue.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

I found this on the Suricata discussion forum -- looks like this isn't natively supported, but you could implement it using a custom flowbit.

https://forum.suricata.io/t/rule-threshold-configuration/2461

[ejgh-oe]

Thanks for the hint - looks like this indeed could be the solution. :-)