topic Re: FireSIGHT suppression in Network Security

FireSIGHT suppression

Justin bollinger — Tue, 12 Mar 2019 13:04:10 GMT

When you add a suppression rule does it just remove the event from displaying or does it over ride the action too.

You can suppress intrusion event notification for a rule or rules. When notification is suppressed for a rule, the rule triggers but events are not generated. You can set one or more suppressions for a rule. The first suppression listed has the highest priority. Note that when two suppressions conflict, the action of the first is carried out.

FireSIGHT System User Guide Version 5.4.1

If I add suppression for a rule that has a block condition will it still block, but just not alert?

I have a false positive that I want to rule out for a specific host, but don't want to disable the entire rule. If the false positive triggers I dont want the traffic to be dropped AND I don't want to be alerted.

In your case, suppression

Pavel Trinos — Tue, 12 Jul 2016 02:21:41 GMT

In your case, suppression will not trigger the rule to block. I'm guessing it is a documentation "bug", but once I suppress rule per "source", my false-positives go away.

Hello Team

Jetsy Mathew — Tue, 12 Jul 2016 05:26:27 GMT

Hello Team

By suppressing , the rule will still work but only difference is it wont generate any alerts for the same. To verify the false positive collect the pcap by clicking on packet download for that specific event in Intrusion events page and request TAC for false positive analysis.

Rate if posts helps you.

Regards

Jetsy

The Suppression concept has

Ed Padilla Jr — Fri, 15 Jul 2016 19:14:30 GMT

The Suppression concept has had its misinterpretations over time. The block will continue, but no alerts will be generated. basically, no notification. If you intent is completely avoid an IP or group of IPs or segment, then you will have to modify the signature, (which will create a Local signature), and under this local signature, you can make all the changes you need by source or destination, same with ports, and other other parameters. However, you will need to enable this signature, and disable the other. And keep in mind that any updates on the original signature will not show in the modified signature,

Thank you. This is exactly

Justin bollinger — Fri, 15 Jul 2016 19:49:19 GMT

Thank you. This is exactly what I believed to be experiencing but wanted to confirm this was the expected behavior.

What I hear you guys saying is that you should only use the Suppression feature to tune out false positives of events that do not have a block action.

Enabling for an event with a block action would suppress the alert, but also block the packet, but you would not know that the event happened let alone that the event was blocked without a packet capture to confirm.

Re: FireSIGHT suppression

anuoluwapo-bankole — Mon, 07 Apr 2025 14:55:14 GMT

Hello, please, how can I suppress the IDS alert in FMC?

Re: FireSIGHT suppression

Marvin Rhoads — Mon, 07 Apr 2025 16:05:39 GMT

@anuoluwapo-bankole please use one thread per question. You have already asked your question in a new thread. Don't jump on a 9-year old discussion.