NIDS tuning with source and destination IPs

[rosswakelin]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

32

Storage for /

100

Storage for /nsm

1000

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I'm trying to tune a NIDS detection using the ETPRO ruleset. I have one rule that triggers on traffic between two particular hosts, and I want to suppress the alert. That is I want to suppress if the source is (e.g.) 1.1.1.1 AND the destination is (e.g.) 2.2.2.2.
The tuning interface in the manager seems to let me pick source or destination or both, but what is the syntax for this particular use case.
Thanks

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

You can't suppress for a source and destination pairing, it's either one or the other.

You could implement this with a custom flowbit, per this post on the Suricata forum:

https://forum.suricata.io/t/rule-threshold-configuration/2461