How to suppress a Snort signature ID

Snort rules can be worth keeping even when one known host produces repeated false positives. A signature ID suppression quiets a selected rule for a selected source or destination address while the rest of the ruleset still evaluates that SID.

Snort 3 configures event suppression in Lua with the suppress table. The event key uses gid and sid, and track decides whether the ip value is matched against the packet source or destination.

Use suppression after the traffic owner and reason are known, not as a first response to an unexplained alert flood. Known matching traffic should alert before the Lua change and produce no alert_fast line after the same gid, sid, and source address are suppressed.

Related: How to disable a Snort rule
Related: How to configure Snort detection_filter thresholds

Steps to suppress a Snort signature ID:

  1. Confirm the generator ID and signature ID from an alert. 
    06/25-00:30:03.217715 [**] [1:1000003:1] "LOCAL UDP suppress test" [**] [Priority: 0] {UDP} 127.0.0.1:37890 -> 127.0.0.1:31339

    The alert key 1:1000003:1 is gid:sid:rev.

  2. Confirm the suppress module syntax. 
    $ snort --help-module suppress
suppress
 
Help: configure event suppressions
##### snipped #####
int suppress[].gid = 0: rule generator ID { 0:8129 }
int suppress[].sid = 0: rule signature ID { 0:max32 }
enum suppress[].track: suppress only matching source or destination addresses { 'by_src' | 'by_dst' }
string suppress[].ip: restrict suppression to these addresses according to track
  3. Add a suppression block to the Lua configuration. 
    suppress =
{
    { gid = 1, sid = 1000003, track = 'by_src', ip = '127.0.0.1' }
}

    Use by_dst when only alerts to a specific destination should be suppressed.

  4. Validate the configuration and rules. 
    $ sudo snort -c /usr/local/etc/snort/snort.lua \
    -R /usr/local/etc/snort/rules/local.rules -T
--------------------------------------------------
o")~   Snort++ 3.12.2.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
##### snipped #####
pcap DAQ configured to passive.
 
Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

    Related: How to test Snort configuration

  5. Replay the traffic that used to alert. 
    $ sudo snort -q -c /usr/local/etc/snort/snort.lua \
    -R /usr/local/etc/snort/rules/local.rules \
    -r suppress-test.pcap -k none -A alert_fast

    No alert_fast line from the same PCAP confirms that 1:1000003 is suppressed for the tracked source.

  6. Record why the SID was suppressed and when it should be reviewed.

    Do not use broad suppression to hide an unknown alert flood. Confirm the traffic owner and reason first.