[Snort-users] Thresholding and suppression
pauls at ...6838...
Fri Oct 15 14:57:13 EDT 2004
--On Thursday, October 14, 2004 04:37:07 PM -0500 Lance Boon
<lboon at ...11799...> wrote:
> I've run into something strange when using the threshold.conf file, if I
> try to:
> suppress gen_id 1, sig_id 716, track by_src, ip x.x.x.x
> all alerts that are generated for telnet access to that specific ip
> address are suppressed as expected, but if I try to telnet to a jet
> direct box I would think that alerts should be generated for that sig as
> the ip addressis different but I don't see any alerts generated...
> Everything else is working correctly I'm using snort 2.2/latest
> ruleset/barnyard 0.2.0. I've got my home net set to x.x.x.x/20 and var
> EXTERNAL_NET !$HOME_NET with an ip in the var TELNET_SERVERS [x.x.x.x]
> Am I just missing something?
Please post the entire rule. It makes life much easier.
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET access";
flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF
FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes;
reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280;
classtype:not-suspicious; sid:716; rev:12;)
Without suppression, this rule will only trigger if the src host is listed
in you var TELNET_SERVERS. So this rule will *never* trigger on the jet
direct box *unless* you've included its IP in the var, no matter what you
suppress. Since you stated "with an ip in the var", I assume that means
the jet direct's ip is not in the var? Based on your response, that you
changed the var from a single IP to $HOME_NET, this appears to be what your
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-users