Good day.

We have a Snort3 sensor running 3.9.6.0 with the ETOPEN ruleset.  The sensor runs on Debian 13, if that is relevant.  Every time we go to image one of our laptops, we get several hundred ET alerts despite the fact that I have what I believe is the proper suppression rules set in SNORT.LUA (the IP address of the machine generating these alerts is 172.19.8.25).  Here is what I believe to be a relevant clip:

--------------------------------------------------------------------------

-- 6. configure filters

---------------------------------------------------------------------------

include 'et_thresholds.lua'

-- below are examples of filters

-- each table is a list of records

suppress =

{

    -- don't want to any of see these

    { track = 'by_src', ip = '172.19.8.25' },

    { track = 'by_dst', ip = '172.19.8.25' },

…

}

I’ve tried different syntax that I’ve seen online, including:

    { gid = 0, sid = 0, track = 'by_src', ip = '172.19.8.25' },

    { gid = 0, sid = 0, track = 'by_dst', ip = '172.19.8.25' },

It would appear though that nothing I do suppresses error messages from this IP…

Does anyone have any idea how I might be able to accomplish this?

Thank you very much in advance for any assistance you can provide.

-Dave

David Z. Melczer  | Director of Information Technology

Greenbaum, Rowe, Smith & Davis LLP

Delivery: 99 Wood Avenue South | Iselin, NJ | 08830

Mailing: P.O. Box 5600 | Woodbridge, NJ | 07095

T: 732.476.3284  |  F: 732.476.3285  |  vCard