Can I block a specific IP for all alerting #14064

jashbaugh-c1 · 2025-01-02T19:17:50Z

jashbaugh-c1
Jan 2, 2025

Version

2.4.111

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

2TB

Storage for /nsm

1TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

I need to block another security appliance from throwing alerts in SO that is with the same LAN subnet. I know I can block via a specific rule in detections but and hoping to avoid tedious work. Thanks.

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by rh-ops

Jan 3, 2025

You can use a BPF filter to exclude that appliance via its IP.

https://docs.securityonion.net/en/2.4/bpf.html

View full answer

rh-ops · 2025-01-03T13:25:59Z

rh-ops
Jan 3, 2025

You can use a BPF filter to exclude that appliance via its IP.

https://docs.securityonion.net/en/2.4/bpf.html

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Can I block a specific IP for all alerting #14064

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Can I block a specific IP for all alerting #14064

Uh oh!

jashbaugh-c1 Jan 2, 2025

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment

Uh oh!

rh-ops Jan 3, 2025

jashbaugh-c1
Jan 2, 2025

rh-ops
Jan 3, 2025