Thresold SID Range

[lawwait]

Version

2.4.50

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

24GB

Storage for /

60GB

Storage for /nsm

111GB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi! I am trying to create a thresold rule to suppress a range of sids, only affecting to one IP address, but I am not able to.
If I set lines like this one, everything is OK

2013457:

• suppress:
  gen_id: 1
  track: by_src
  ip: 192.168.110.14

The point is I want to suppress alerts for this SID range [2520000:2523297] only when 192.168.20.230 IP address is the destination.

I have tried several ways:

2520000:2523297

• suppress:
  gen_id: 1
  track: by_dst
  ip: 192.168.1.45
  This one fails with syntax checks when saving

2520000-2523297

• suppress:
  gen_id: 1
  track: by_dst
  ip: 192.168.1.45
  This one does not fail at saving file but claims in log file suricata.log, and of course it does not work at all.

ChatGPT made up a way to, but as usual with ChatGPT is also a bluff... saying something like:

• suppress:
  gen_id: 1
  track: by_dst
  ip: 192.168.1.45
  sids: 2520000:2523297

This does not work either... so I am asking myself if is there any way to do what I want without disabling the SIDs in range completely.

Thanks!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[lawwait]

UP! Anybody could help?

[TOoSmOotH]

I don't think idstools supports this.

[lawwait]

And do you know any way to get this result with a different module (only for one IP Address for example)? I don't want to exclude the complete SID range for all hosts