Suppression Options

Question

Hi Allsuppression is not working via options section. kindly suggest me to make the below rule work with suppression. The rule should not trigger for next 24 hrs for the same source_ip and the destination_ip  events:    $e.metadata.log_type = "SOPHOS_FIREWALL"    $e.metadata.event_type = "NETWORK_CONNECTION"    $e.principal.asset.ip = $src_ip    $e.target.asset.ip = $dst_ip    $e.intermediary.hostname =$hostname    ($e.principal.application = "Windows Remote Desktop" OR    $e.principal.application = "MS Remote Desktop Connection" OR    $e.principal.application = "SSH")    OR    ($e.target.port = 22 OR $e.target.port = 3389)    $e.security_result.action = "BLOCK"    //$e.security_result.rule_name != "GEO IP Block"     not net.ip_in_range_cidr($e.principal.ip, "127.0.0.1/32")     not net.ip_in_range_cidr($e.principal.ip, "10.0.0.0/8")     not net.ip_in_range_cidr($e.principal.ip, "172.16.0.0/12")     not net.ip_in_range_cidr($e.principal.ip, "192.168.0.0/16")   match:    $dst_ip over 10m    outcome:    $suppression_key = $dst_ip       condition:    #e >=1  options:    suppression_window = 1d //suppress for one day by user       }

cmorris · Answer

Is the issue that suppression is not taking place at all? Or is it that it is only suppressing via $dst_ip, rather than the src/dst pair?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded