What is the best way to deal with Poor Reputation rules. It is expected IPs are going to continually probe any open ports. Right now I am adding them to a list like this:
suppress gen_id 1, sig_id 2403379, track by_dst, ip 192.168.90.10
suppress gen_id 1, sig_id 2403384, track by_dst, ip 192.168.90.10
suppress gen_id 1, sig_id 2403377, track by_dst, ip 192.168.90.10
I don’t want to disable the rule as it would be interesting if there are any connections out to Poor Reputation ip addresses.
Looking at my event log I am not sure a threshold alert will make any difference. I normally get a single connection from those IP addresses in the Poor Reputation group.
Right now it looks like I need to create a matching suppress rule for every ET poor reputation ip group rules.