From: Victor Julien <victor@inliniac.net>
Date: Thu, 29 Mar 2018 13:31:47 +0000 (+0200)
Subject: doc: add by_either to suppress explanation
X-Git-Tag: suricata-4.0.5~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97107a18c1665e925841d1c9868ff689574d028c;p=thirdparty%2Fsuricata.git

doc: add by_either to suppress explanation
---

diff --git a/doc/userguide/configuration/global-thresholds.rst b/doc/userguide/configuration/global-thresholds.rst
index adb5cb8b47..2ec4cbfb03 100644
--- a/doc/userguide/configuration/global-thresholds.rst
+++ b/doc/userguide/configuration/global-thresholds.rst
@@ -113,7 +113,7 @@ Syntax:
 ::
 
   suppress gen_id <gid>, sig_id <sid>
-  suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|subnet>
+  suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst|by_either>, ip <ip|subnet|addressvar>
 
 Examples:
 
@@ -129,6 +129,11 @@ Other possibilities/examples::
   suppress gen_id 1, sig_id 2003614, track by_src, ip 217.110.97.128/25
   suppress gen_id 1, sig_id 2003614, track by_src, ip [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
   suppress gen_id 1, sig_id 2003614, track by_src, ip $HOME_NET
+  suppress gen_id 1, sig_id 2003614, track by_either, ip 217.110.97.128/25
+
+In the last example above, the ``by_either`` tracking means that if either
+the ``source ip`` or ``destination ip`` matches ``217.110.97.128/25`` the
+rule with sid 2003614 is suppressed.
 
 .. _global-thresholds-vs-rule-thresholds: