[Snort-devel] Snort-devel Digest, Vol 20, Issue 2

Russ rucombs at cisco.com
Mon Feb 11 09:36:23 EST 2019


Commenting out the rule will disable it completely.  Make sure you are 
not also setting ips.enable_builtin_rules = true.  That setting is just 
to enable the builtin rules w/o using the rule stubs.

On 2/11/19 3:35 AM, Thanos Constantopoulos via Snort-devel wrote:
> Hello Russ
>
> Yes these are built in rules and i was trying to also add a global
> suppresion for all signatures. I tried to comment the signature from
> the builtin rules but that didn't work.
> Can you please explain a bit more about the multiple policies? How can
> i implement this?
>
>
> On Fri, Feb 8, 2019 at 11:30 PM <snort-devel-request at lists.snort.org> wrote:
>> Send Snort-devel mailing list submissions to
>>          snort-devel at lists.snort.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>          https://lists.snort.org/mailman/listinfo/snort-devel
>> or, via email, send a message with subject or body 'help' to
>>          snort-devel-request at lists.snort.org
>>
>> You can reach the person managing the list at
>>          snort-devel-owner at lists.snort.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Snort-devel digest..."
>>
>>
>> Today's Topics:
>>
>>     1. Re: Help with Suppression (Russ)
>>     2. Re: Help with Suppression (Tim Townsend)
>>     3. Re: Help with Suppression (lbelyeu71 at gmail.com)
>>     4. remove from list (Aaron Taylor)
>>     5. Fwd:  remove from list (Mel Griffiths)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Fri, 8 Feb 2019 12:29:19 -0500
>> From: Russ <rucombs at cisco.com>
>> To: snort-devel at lists.snort.org
>> Subject: Re: [Snort-devel] Help with Suppression
>> Message-ID: <c9cc45b0-8f82-cc40-5b0d-7b877991619a at cisco.com>
>> Content-Type: text/plain; charset=utf-8; format=flowed
>>
>> Hey Thanos,
>>
>> You can only set one suppression per gid:sid pair so you can't at the
>> moment fully exclude a gid:sid by suppression.
>>
>> Are the alerts you are trying to suppress with 0:0 based on builtin
>> rules?? You may be able configure multiple policies differently to work
>> around some cases.
>>
>> Also, I'm curious about your suppression of 119:225 and 119:228. Can you
>> share any data on those like -A cmg output or maybe a pcap?
>>
>> Thanks
>> Russ
>>
>> On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
>>> Hello All,
>>>
>>> We are running Snort3.0.0-250 as IDS and we are trying to suppress
>>> several IP addresses from the logs (global suppression from all
>>> signatures). In order to perform this for specific IP addresses by
>>> source we add the below under snort.lua
>>>
>>> suppress =
>>>
>>> {
>>> { gid = 119, sid = 228 },
>>> { gid = 119, sid 225 },
>>> { gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip = '192.168.10.10' },
>>> }
>>>
>>> My questions are:
>>>
>>> - Is there a way to use additional suppresion rules to cover by_src
>>> with the same gid and sid?
>>> - Is there a way to use additional suppresion rules to cover by_src
>>> and by_dst, to totally exluded a subnet or IP address?
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.snort.org
>>> https://lists.snort.org/mailman/listinfo/snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Fri, 8 Feb 2019 17:28:12 +0000
>> From: Tim Townsend <Tim at SaifulBouquet.com>
>> To: "snort-devel at lists.snort.org" <snort-devel at lists.snort.org>
>> Subject: Re: [Snort-devel] Help with Suppression
>> Message-ID:
>>          <abdb6d7cf9d44774ad0e4d28ef410cef at Mail.SaifulBouquet.local>
>> Content-Type: text/plain; charset="utf-8"
>>
>> I have removed myself from this group several times through the website but I am still getting emails. Can someone please remove me?
>>
>> Thanks
>>
>> TIM TOWNSEND
>> IT Director
>>
>>
>> -----Original Message-----
>> From: Snort-devel [mailto:snort-devel-bounces at lists.snort.org] On Behalf Of Russ via Snort-devel
>> Sent: Friday, February 08, 2019 9:29 AM
>> To: snort-devel at lists.snort.org
>> Subject: Re: [Snort-devel] Help with Suppression
>>
>> Hey Thanos,
>>
>> You can only set one suppression per gid:sid pair so you can't at the moment fully exclude a gid:sid by suppression.
>>
>> Are the alerts you are trying to suppress with 0:0 based on builtin rules?? You may be able configure multiple policies differently to work around some cases.
>>
>> Also, I'm curious about your suppression of 119:225 and 119:228. Can you share any data on those like -A cmg output or maybe a pcap?
>>
>> Thanks
>> Russ
>>
>> On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
>>> Hello All,
>>>
>>> We are running Snort3.0.0-250 as IDS and we are trying to suppress
>>> several IP addresses from the logs (global suppression from all
>>> signatures). In order to perform this for specific IP addresses by
>>> source we add the below under snort.lua
>>>
>>> suppress =
>>>
>>> {
>>> { gid = 119, sid = 228 },
>>> { gid = 119, sid 225 },
>>> { gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =
>>> '192.168.10.10' }, }
>>>
>>> My questions are:
>>>
>>> - Is there a way to use additional suppresion rules to cover by_src
>>> with the same gid and sid?
>>> - Is there a way to use additional suppresion rules to cover by_src
>>> and by_dst, to totally exluded a subnet or IP address?
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.snort.org
>>> https://lists.snort.org/mailman/listinfo/snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Fri, 8 Feb 2019 19:35:15 +0000 (UTC)
>> From: "lbelyeu71 at gmail.com" <lbelyeu71 at gmail.com>
>> To: "snort-devel at lists.snort.org" <snort-devel at lists.snort.org>,  Tim
>>          Townsend <Tim at SaifulBouquet.com>
>> Subject: Re: [Snort-devel] Help with Suppression
>> Message-ID: <204005713.560161.1549654515221 at mail.yahoo.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>>   Please remove me as well. No longer in this Profession.
>>
>>      On Friday, February 8, 2019, 11:35:47 AM CST, Tim Townsend <Tim at SaifulBouquet.com> wrote:
>>
>>   I have removed myself from this group several times through the website but I am still getting emails. Can someone please remove me?
>>
>> Thanks
>>
>> TIM TOWNSEND
>> IT Director
>>
>>
>> -----Original Message-----
>> From: Snort-devel [mailto:snort-devel-bounces at lists.snort.org] On Behalf Of Russ via Snort-devel
>> Sent: Friday, February 08, 2019 9:29 AM
>> To: snort-devel at lists.snort.org
>> Subject: Re: [Snort-devel] Help with Suppression
>>
>> Hey Thanos,
>>
>> You can only set one suppression per gid:sid pair so you can't at the moment fully exclude a gid:sid by suppression.
>>
>> Are the alerts you are trying to suppress with 0:0 based on builtin rules?? You may be able configure multiple policies differently to work around some cases.
>>
>> Also, I'm curious about your suppression of 119:225 and 119:228. Can you share any data on those like -A cmg output or maybe a pcap?
>>
>> Thanks
>> Russ
>>
>> On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:
>>> Hello All,
>>>
>>> We are running Snort3.0.0-250 as IDS and we are trying to suppress
>>> several IP addresses from the logs (global suppression from all
>>> signatures). In order to perform this for specific IP addresses by
>>> source we add the below under snort.lua
>>>
>>> suppress =
>>>
>>> {
>>> { gid = 119, sid = 228 },
>>> { gid = 119, sid 225 },
>>> { gid? = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =
>>> '192.168.10.10' }, }
>>>
>>> My questions are:
>>>
>>> - Is there a way to use additional suppresion rules to cover by_src
>>> with the same gid and sid?
>>> - Is there a way to use additional suppresion rules to cover by_src
>>> and by_dst, to totally exluded a subnet or IP address?
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.snort.org
>>> https://lists.snort.org/mailman/listinfo/snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190208/d8a011bc/attachment-0001.html>
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Fri, 8 Feb 2019 17:04:08 -0500
>> From: Aaron Taylor <aaroncurtistaylor at gmail.com>
>> To: snort-devel at lists.snort.org
>> Subject: [Snort-devel] remove from list
>> Message-ID:
>>          <CABU9SvWQWX2VdRZ+CvEn2fg-J14VHd3xazC-oY=bFLxEy4_a4g at mail.gmail.com>
>> Content-Type: text/plain; charset="UTF-8"
>>
>> I have also unsubscribed but somehow still getting emails. Please
>> remove me from the list.
>>
>>
>> ------------------------------
>>
>> Message: 5
>> Date: Sat, 9 Feb 2019 15:25:50 +0800
>> From: Mel Griffiths <melsphonemail at gmail.com>
>> To: snort-devel at lists.snort.org
>> Subject: [Snort-devel] Fwd:  remove from list
>> Message-ID:
>>          <CA+0kOjcT5=Z+OtBMRQrn=gEusuVJ7zsibtKgvNfc03MGdou7VQ at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Could you please also remove me from this list?
>>
>> Thanks.
>>
>>
>> ---------- Forwarded message ---------
>> From: Aaron Taylor via Snort-devel <snort-devel at lists.snort.org>
>> Date: Sat, 9 Feb. 2019, 06:06
>> Subject: [Snort-devel] remove from list
>> To: <snort-devel at lists.snort.org>
>>
>>
>> I have also unsubscribed but somehow still getting emails. Please
>> remove me from the list.
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190209/c7b5f81e/attachment.html>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-devel
>>
>>
>> ------------------------------
>>
>> End of Snort-devel Digest, Vol 20, Issue 2
>> ******************************************
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!



More information about the Snort-devel mailing list