Snort rules can be worth keeping even when one known host produces repeated false positives. A signature ID suppression quiets a selected rule for a selected source or destination address while the rest of the ruleset still evaluates that SID.
Snort 3 configures event suppression in Lua with the suppress table. The event key uses gid and sid, and track decides whether the ip value is matched against the packet source or destination.
Use suppression after the traffic owner and reason are known, not as a first response to an unexplained alert flood. Known matching traffic should alert before the Lua change and produce no alert_fast line after the same gid, sid, and source address are suppressed.
06/25-00:30:03.217715 [**] [1:1000003:1] "LOCAL UDP suppress test" [**] [Priority: 0] {UDP} 127.0.0.1:37890 -> 127.0.0.1:31339
The alert key 1:1000003:1 is gid:sid:rev.
$ snort --help-module suppress suppress Help: configure event suppressions ##### snipped ##### int suppress[].gid = 0: rule generator ID { 0:8129 } int suppress[].sid = 0: rule signature ID { 0:max32 } enum suppress[].track: suppress only matching source or destination addresses { 'by_src' | 'by_dst' } string suppress[].ip: restrict suppression to these addresses according to track
suppress = { { gid = 1, sid = 1000003, track = 'by_src', ip = '127.0.0.1' } }
Use by_dst when only alerts to a specific destination should be suppressed.
$ sudo snort -c /usr/local/etc/snort/snort.lua \ -R /usr/local/etc/snort/rules/local.rules -T -------------------------------------------------- o")~ Snort++ 3.12.2.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: ##### snipped ##### pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting
Related: How to test Snort configuration
$ sudo snort -q -c /usr/local/etc/snort/snort.lua \ -R /usr/local/etc/snort/rules/local.rules \ -r suppress-test.pcap -k none -A alert_fast
No alert_fast line from the same PCAP confirms that 1:1000003 is suppressed for the tracked source.
Do not use broad suppression to hide an unknown alert flood. Confirm the traffic owner and reason first.