cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2947
Views
10
Helpful
4
Replies
Highlighted

FireSIGHT suppression

When you add a suppression rule does it just remove the event from displaying or does it over ride the action too.

You can suppress intrusion event notification for a rule or rules. When notification is suppressed for a rule, the rule triggers but events are not generated. You can set one or more suppressions for a rule. The first suppression listed has the highest priority. Note that when two suppressions conflict, the action of the first is carried out.

FireSIGHT System User Guide Version 5.4.1

If I add suppression for a rule that has a block condition will it still block, but just not alert?  

I have a false positive that I want to rule out for a specific host, but don't want to disable the entire rule.  If the false positive triggers I dont want the traffic to be dropped AND I don't want to be alerted.  

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Hello Team

By suppressing , the rule will still work but only difference is it wont generate any alerts for the same. To verify the false positive collect the pcap by clicking on packet download for that specific event in Intrusion events page and request TAC for false positive analysis.

Rate if posts helps you.

Regards

Jetsy

View solution in original post

Highlighted

The Suppression concept has had its misinterpretations over time.  The block will continue, but no alerts will be generated. basically, no notification.  If you intent is completely avoid an IP or group of IPs or segment, then you will have to modify the signature, (which will create a Local signature), and under this local signature, you can make all the changes you need by source or destination, same with ports, and other other parameters.  However, you will need to enable this signature, and disable the other.  And keep in mind that any updates on the original signature will not show in the modified signature,

View solution in original post

4 REPLIES 4
Highlighted
Beginner

In your case, suppression will not trigger the rule to block. I'm guessing it is a documentation "bug", but once I suppress rule per "source", my false-positives go away.

Highlighted

The Suppression concept has had its misinterpretations over time.  The block will continue, but no alerts will be generated. basically, no notification.  If you intent is completely avoid an IP or group of IPs or segment, then you will have to modify the signature, (which will create a Local signature), and under this local signature, you can make all the changes you need by source or destination, same with ports, and other other parameters.  However, you will need to enable this signature, and disable the other.  And keep in mind that any updates on the original signature will not show in the modified signature,

View solution in original post

Highlighted

Thank you.  This is exactly what I believed to be experiencing but wanted to confirm this was the expected behavior.  

What I hear you guys saying is that you should only use the Suppression feature to tune out false positives of events that do not have a block action.  

Enabling for an event with a block action would suppress the alert, but also block the packet, but you would not know that the event happened let alone that the event was blocked without a packet capture to confirm.  

Highlighted
Cisco Employee

Hello Team

By suppressing , the rule will still work but only difference is it wont generate any alerts for the same. To verify the false positive collect the pcap by clicking on packet download for that specific event in Intrusion events page and request TAC for false positive analysis.

Rate if posts helps you.

Regards

Jetsy

View solution in original post

Content for Community-Ad