Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4700
Views
10
Helpful
4
Replies

FireSIGHT suppression

Go to solution
Justin bollinger
Level 1
Level 1

‎07-11-2016 09:17 AM - edited ‎03-12-2019 06:04 AM

When you add a suppression rule does it just remove the event from displaying or does it over ride the action too.

You can suppress intrusion event notification for a rule or rules. When notification is suppressed for a rule, the rule triggers but events are not generated. You can set one or more suppressions for a rule. The first suppression listed has the highest priority. Note that when two suppressions conflict, the action of the first is carried out.

FireSIGHT System User Guide Version 5.4.1

If I add suppression for a rule that has a block condition will it still block, but just not alert?  

I have a false positive that I want to rule out for a specific host, but don't want to disable the entire rule.  If the false positive triggers I dont want the traffic to be dropped AND I don't want to be alerted.  

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee

‎07-11-2016 10:26 PM

Hello Team

By suppressing , the rule will still work but only difference is it wont generate any alerts for the same. To verify the false positive collect the pcap by clicking on packet download for that specific event in Intrusion events page and request TAC for false positive analysis.

Rate if posts helps you.

Regards

Jetsy

View solution in original post

Go to solution
Ed Padilla Jr
Level 1
Level 1
In response to Pavel Trinos

‎07-15-2016 12:14 PM

The Suppression concept has had its misinterpretations over time.  The block will continue, but no alerts will be generated. basically, no notification.  If you intent is completely avoid an IP or group of IPs or segment, then you will have to modify the signature, (which will create a Local signature), and under this local signature, you can make all the changes you need by source or destination, same with ports, and other other parameters.  However, you will need to enable this signature, and disable the other.  And keep in mind that any updates on the original signature will not show in the modified signature,

View solution in original post

4 Replies 4

Go to solution
Pavel Trinos
Level 1
Level 1

‎07-11-2016 07:21 PM

In your case, suppression will not trigger the rule to block. I'm guessing it is a documentation "bug", but once I suppress rule per "source", my false-positives go away.

0 Helpful

Go to solution
Ed Padilla Jr
Level 1
Level 1
In response to Pavel Trinos

‎07-15-2016 12:14 PM

The Suppression concept has had its misinterpretations over time.  The block will continue, but no alerts will be generated. basically, no notification.  If you intent is completely avoid an IP or group of IPs or segment, then you will have to modify the signature, (which will create a Local signature), and under this local signature, you can make all the changes you need by source or destination, same with ports, and other other parameters.  However, you will need to enable this signature, and disable the other.  And keep in mind that any updates on the original signature will not show in the modified signature,

Go to solution
Justin bollinger
Level 1
Level 1
In response to Ed Padilla Jr

‎07-15-2016 12:49 PM

Thank you.  This is exactly what I believed to be experiencing but wanted to confirm this was the expected behavior.  

What I hear you guys saying is that you should only use the Suppression feature to tune out false positives of events that do not have a block action.  

Enabling for an event with a block action would suppress the alert, but also block the packet, but you would not know that the event happened let alone that the event was blocked without a packet capture to confirm.  

0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee

‎07-11-2016 10:26 PM

Hello Team

By suppressing , the rule will still work but only difference is it wont generate any alerts for the same. To verify the false positive collect the pcap by clicking on packet download for that specific event in Intrusion events page and request TAC for false positive analysis.

Rate if posts helps you.

Regards

Jetsy

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card