Supress inside signature

apex · January 18, 2024, 2:25pm

I have a suppress rule in threshold.config
suppress gen_id 1, sig_id 996
works as expected,

The doc mentions
‘Please note that thresholding can also be set inside a signature.’

Is there any way to have the suppress keyword directly in the signature declaration (a bypass rule with an alert in this case) ?
I could find example and test cases that uses the threshold: keyword, but nothing about suppress.
That would be very convenient if we could do that.

vjulien · January 18, 2024, 10:51pm

You can just use noalert; in the rule instead?

apex · January 19, 2024, 3:35pm

I tested the noalert; option it works perfect.
The doc mentions flowbit:noalert, which is equivalent apparently.
Thanks!

Topic		Replies	Views
Rule threshold configuration Rules rules , suricata	2	1184	May 12, 2022
Suppress rule suricata Help rules , suricata	1	302	August 9, 2023
Suricata ignore Rule by IP	3	2478	July 26, 2021
Excluding IP Addresses from Monitoring or IDS/IPS Help	29	10511	May 14, 2020
Problem to create a simple signature Rules	2	599	April 13, 2022

Supress inside signature

Related Topics