hello,
is there any option to suppress some rules? pfsense has such an option, but something like: suppress gen_id 1, sig_id 50447 on a custom rule set won't work.
thx!
You should be able to add it like this to /etc/snort/include.snort:
suppress = {
{
gid = '1', sid = '50447', track = 'by_dst', ip = '192.168.1.220'
},
}
Adjust the destination IP to your use-case.
2 Likes
thanks! the file doesn't exist, just create it or do I have to make an include in 'local.lua'?
(asking because it doesn't work) 
edit:
/etc/config/snort:
option include '/etc/snort/include.snort'
edit2:
still not working
edit3: i added the suppress code from you in 'local.lua' without the ' signs at gid and sid and then it worked:
...
snort = {}
snort["-Q"] = true
-- suppress section
suppress = {
{
gid = 1, sid = 50447, track = 'by_src', ip = '192.168.xx.xx'
},
{
gid = 1, sid = 38124, track = 'by_src', ip = '192.168.xx.xx'
},
}
ips = {
...
1 Like
I think it also works without the track and ip options, and suppresses the rule for everything.
I was just playing with this the other day and ended up with one entry that looks like this which disables logging of a bunch of mDNS queries on the LAN, so ranges (both v4 and v6) appear to work in the ip value, too.
{ gid = 1, sid = 1917, track = 'by_src', ip = '10.1.1.0/24,fe80::/10' }, -- mDNS