[Snort-users] Thresholding and suppression

Paul Schmehl pauls at ...6838...
Fri Oct 15 14:57:13 EDT 2004

--On Thursday, October 14, 2004 04:37:07 PM -0500 Lance Boon 
<lboon at ...11799...> wrote:

> I've run into something strange when using the threshold.conf file, if I
> try to:
> suppress gen_id 1, sig_id 716, track by_src, ip x.x.x.x
> all alerts that are generated for telnet access to that specific ip
> address are suppressed as expected, but if I try to telnet to a jet
> direct box I would think that alerts should be generated for that sig as
> the ip addressis different but I don't see any alerts generated...
> Everything else is working correctly I'm using snort 2.2/latest
> ruleset/barnyard 0.2.0. I've got my home net set to x.x.x.x/20 and var
> EXTERNAL_NET !$HOME_NET with an ip in the var TELNET_SERVERS [x.x.x.x]
> Am I just missing something?

Please post the entire rule.  It makes life much easier.

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET access"; 
flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF 
FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; 
reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; 
classtype:not-suspicious; sid:716; rev:12;)

Without suppression, this rule will only trigger if the src host is listed 
in you var TELNET_SERVERS.  So this rule will *never* trigger on the jet 
direct box *unless* you've included its IP in the var, no matter what you 
suppress.  Since you stated "with an ip in the var", I assume that means 
the jet direct's ip is not in the var?  Based on your response, that you 
changed the var from a single IP to $HOME_NET, this appears to be what your 
problem was.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-users mailing list