I'm trying to suppress the "PROTOCOL-DNS TMG Firewall client long host exploit" rule on my Security Onion server. I've added a suppression to my threshold.conf file.
suppress gen_id 1, sig_id 19187
and two pass rules to my local.rules file.
pass udp <my DNS Server> 53 ->
10.0.1.0/24 any (sig:9000026)
pass tcp <my DNS Server> 53 ->
10.0.1.0/24 any (sig:9000026)
I then ran "sudo rule-update"
For some reason the rule is still triggering alerts. I know I'm using the correct threshold.conf and local.rules file because other suppressions and pass rules are working fine. Does anyone have any idea why this one rule refuses to obey the suppression?
Thanks
-Craig