ignore some source IP from certain suricata rules #6616

dlazure · 2021-12-16T19:49:52Z

dlazure
Dec 16, 2021

what is the best way to ignore some source IPs for specific rules?

for example I get a lot of :

ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port) | A

From my desktop IP and this is a softphone.

how to avoid getting the alerts all the time?

Thank you~!

Answered by Hammer-Bear

Check out the thresholding and suppressions section of this https://docs.securityonion.net/en/2.3/managing-alerts.html

will look something like below and one thing to note, make sure you get the spacing correct as YAML is very particular with its formatting

thresholding:
  sids:
    2012454:
      - suppress:
          gen_id: 1
          track: by_dst/by_src
          ip:

Hammer-Bear · 2021-12-17T09:34:22Z

Check out the thresholding and suppressions section of this https://docs.securityonion.net/en/2.3/managing-alerts.html

will look something like below and one thing to note, make sure you get the spacing correct as YAML is very particular with its formatting

thresholding:
  sids:
    2012454:
      - suppress:
          gen_id: 1
          track: by_dst/by_src
          ip:

1 reply