[Snort-devel] Snort-devel Digest, Vol 20, Issue 2

Thanos Constantopoulos thanoscon at gmail.com
Mon Feb 11 03:35:49 EST 2019


Hello Russ

Yes these are built in rules and i was trying to also add a global
suppresion for all signatures. I tried to comment the signature from
the builtin rules but that didn't work.
Can you please explain a bit more about the multiple policies? How can
i implement this?


On Fri, Feb 8, 2019 at 11:30 PM <snort-devel-request at lists.snort.org> wrote:
>
> Send Snort-devel mailing list submissions to
>         snort-devel at lists.snort.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.snort.org/mailman/listinfo/snort-devel
> or, via email, send a message with subject or body 'help' to
>         snort-devel-request at lists.snort.org
>
> You can reach the person managing the list at
>         snort-devel-owner at lists.snort.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-devel digest..."
>
>
> Today's Topics:
>
>    1. Re: Help with Suppression (Russ)
>    2. Re: Help with Suppression (Tim Townsend)
>    3. Re: Help with Suppression (lbelyeu71 at gmail.com)
>    4. remove from list (Aaron Taylor)
>    5. Fwd:  remove from list (Mel Griffiths)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 8 Feb 2019 12:29:19 -0500
> From: Russ <rucombs at cisco.com>
> To: snort-devel at lists.snort.org
> Subject: Re: [Snort-devel] Help with Suppression
> Message-ID: <c9cc45b0-8f82-cc40-5b0d-7b877991619a at cisco.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Hey Thanos,
>
> You can only set one suppression per gid:sid pair so you can't at the
> moment fully exclude a gid:sid by suppression.
>
> Are the alerts you are trying to suppress with 0:0 based on builtin
> rules?? You may be able configure multiple policies differently to work
> around some cases.
>
> Also, I'm curious about your suppression of 119:225 and 119:228. Can you
> share any data on those like -A cmg output or maybe a pcap?
>
> Thanks
> Russ
>
> On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
> > Hello All,
> >
> > We are running Snort3.0.0-250 as IDS and we are trying to suppress
> > several IP addresses from the logs (global suppression from all
> > signatures). In order to perform this for specific IP addresses by
> > source we add the below under snort.lua
> >
> > suppress =
> >
> > {
> > { gid = 119, sid = 228 },
> > { gid = 119, sid 225 },
> > { gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip = '192.168.10.10' },
> > }
> >
> > My questions are:
> >
> > - Is there a way to use additional suppresion rules to cover by_src
> > with the same gid and sid?
> > - Is there a way to use additional suppresion rules to cover by_src
> > and by_dst, to totally exluded a subnet or IP address?
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.snort.org
> > https://lists.snort.org/mailman/listinfo/snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 8 Feb 2019 17:28:12 +0000
> From: Tim Townsend <Tim at SaifulBouquet.com>
> To: "snort-devel at lists.snort.org" <snort-devel at lists.snort.org>
> Subject: Re: [Snort-devel] Help with Suppression
> Message-ID:
>         <abdb6d7cf9d44774ad0e4d28ef410cef at Mail.SaifulBouquet.local>
> Content-Type: text/plain; charset="utf-8"
>
> I have removed myself from this group several times through the website but I am still getting emails. Can someone please remove me?
>
> Thanks
>
> TIM TOWNSEND
> IT Director
>
>
> -----Original Message-----
> From: Snort-devel [mailto:snort-devel-bounces at lists.snort.org] On Behalf Of Russ via Snort-devel
> Sent: Friday, February 08, 2019 9:29 AM
> To: snort-devel at lists.snort.org
> Subject: Re: [Snort-devel] Help with Suppression
>
> Hey Thanos,
>
> You can only set one suppression per gid:sid pair so you can't at the moment fully exclude a gid:sid by suppression.
>
> Are the alerts you are trying to suppress with 0:0 based on builtin rules?? You may be able configure multiple policies differently to work around some cases.
>
> Also, I'm curious about your suppression of 119:225 and 119:228. Can you share any data on those like -A cmg output or maybe a pcap?
>
> Thanks
> Russ
>
> On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
> > Hello All,
> >
> > We are running Snort3.0.0-250 as IDS and we are trying to suppress
> > several IP addresses from the logs (global suppression from all
> > signatures). In order to perform this for specific IP addresses by
> > source we add the below under snort.lua
> >
> > suppress =
> >
> > {
> > { gid = 119, sid = 228 },
> > { gid = 119, sid 225 },
> > { gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =
> > '192.168.10.10' }, }
> >
> > My questions are:
> >
> > - Is there a way to use additional suppresion rules to cover by_src
> > with the same gid and sid?
> > - Is there a way to use additional suppresion rules to cover by_src
> > and by_dst, to totally exluded a subnet or IP address?
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.snort.org
> > https://lists.snort.org/mailman/listinfo/snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> ------------------------------
>
> Message: 3
> Date: Fri, 8 Feb 2019 19:35:15 +0000 (UTC)
> From: "lbelyeu71 at gmail.com" <lbelyeu71 at gmail.com>
> To: "snort-devel at lists.snort.org" <snort-devel at lists.snort.org>,  Tim
>         Townsend <Tim at SaifulBouquet.com>
> Subject: Re: [Snort-devel] Help with Suppression
> Message-ID: <204005713.560161.1549654515221 at mail.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
>  Please remove me as well. No longer in this Profession.
>
>     On Friday, February 8, 2019, 11:35:47 AM CST, Tim Townsend <Tim at SaifulBouquet.com> wrote:
>
>  I have removed myself from this group several times through the website but I am still getting emails. Can someone please remove me?
>
> Thanks
>
> TIM TOWNSEND
> IT Director
>
>
> -----Original Message-----
> From: Snort-devel [mailto:snort-devel-bounces at lists.snort.org] On Behalf Of Russ via Snort-devel
> Sent: Friday, February 08, 2019 9:29 AM
> To: snort-devel at lists.snort.org
> Subject: Re: [Snort-devel] Help with Suppression
>
> Hey Thanos,
>
> You can only set one suppression per gid:sid pair so you can't at the moment fully exclude a gid:sid by suppression.
>
> Are the alerts you are trying to suppress with 0:0 based on builtin rules?? You may be able configure multiple policies differently to work around some cases.
>
> Also, I'm curious about your suppression of 119:225 and 119:228. Can you share any data on those like -A cmg output or maybe a pcap?
>
> Thanks
> Russ
>
> On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
> > Hello All,
> >
> > We are running Snort3.0.0-250 as IDS and we are trying to suppress
> > several IP addresses from the logs (global suppression from all
> > signatures). In order to perform this for specific IP addresses by
> > source we add the below under snort.lua
> >
> > suppress =
> >
> > {
> > { gid = 119, sid = 228 },
> > { gid = 119, sid 225 },
> > { gid? = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =
> > '192.168.10.10' }, }
> >
> > My questions are:
> >
> > - Is there a way to use additional suppresion rules to cover by_src
> > with the same gid and sid?
> > - Is there a way to use additional suppresion rules to cover by_src
> > and by_dst, to totally exluded a subnet or IP address?
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.snort.org
> > https://lists.snort.org/mailman/listinfo/snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190208/d8a011bc/attachment-0001.html>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 8 Feb 2019 17:04:08 -0500
> From: Aaron Taylor <aaroncurtistaylor at gmail.com>
> To: snort-devel at lists.snort.org
> Subject: [Snort-devel] remove from list
> Message-ID:
>         <CABU9SvWQWX2VdRZ+CvEn2fg-J14VHd3xazC-oY=bFLxEy4_a4g at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> I have also unsubscribed but somehow still getting emails. Please
> remove me from the list.
>
>
> ------------------------------
>
> Message: 5
> Date: Sat, 9 Feb 2019 15:25:50 +0800
> From: Mel Griffiths <melsphonemail at gmail.com>
> To: snort-devel at lists.snort.org
> Subject: [Snort-devel] Fwd:  remove from list
> Message-ID:
>         <CA+0kOjcT5=Z+OtBMRQrn=gEusuVJ7zsibtKgvNfc03MGdou7VQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Could you please also remove me from this list?
>
> Thanks.
>
>
> ---------- Forwarded message ---------
> From: Aaron Taylor via Snort-devel <snort-devel at lists.snort.org>
> Date: Sat, 9 Feb. 2019, 06:06
> Subject: [Snort-devel] remove from list
> To: <snort-devel at lists.snort.org>
>
>
> I have also unsubscribed but somehow still getting emails. Please
> remove me from the list.
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190209/c7b5f81e/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
>
> ------------------------------
>
> End of Snort-devel Digest, Vol 20, Issue 2
> ******************************************


More information about the Snort-devel mailing list