When initially setting snort up you will likely come across one or two (or several) false positives.
For example in my case a specific server was being flagged when users were downloading a specific file from it over the network. The 'alert' being generated was consistent and so I wanted to ensure that this rule is not applied when the traffic was being sourced from this particular server.
Fortunately snort allows us to do this without having to completely disable the rule all together.
This can be applied in the 'thresholds.conf' file and is known as a 'supression.'
sudo vi /etc/snort/thresholds.conf
and adding something like:
suppress gen_id 1, sig_id 39463, track by_src, ip 10.11.12.13
and reload snort with:
sudo systemctl reload snort
No comments:
Post a Comment