[Snort-users] Thresholding and suppression

Paul Schmehl pauls at ...6838...
Fri Oct 15 14:57:13 EDT 2004


--On Thursday, October 14, 2004 04:37:07 PM -0500 Lance Boon 
<lboon at ...11799...> wrote:

> I've run into something strange when using the threshold.conf file, if I
> try to:
>
> suppress gen_id 1, sig_id 716, track by_src, ip x.x.x.x
>
> all alerts that are generated for telnet access to that specific ip
> address are suppressed as expected, but if I try to telnet to a jet
> direct box I would think that alerts should be generated for that sig as
> the ip addressis different but I don't see any alerts generated...
> Everything else is working correctly I'm using snort 2.2/latest
> ruleset/barnyard 0.2.0. I've got my home net set to x.x.x.x/20 and var
> EXTERNAL_NET !$HOME_NET with an ip in the var TELNET_SERVERS [x.x.x.x]
> Am I just missing something?

Please post the entire rule.  It makes life much easier.

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET access"; 
flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF 
FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; 
reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; 
classtype:not-suspicious; sid:716; rev:12;)

Without suppression, this rule will only trigger if the src host is listed 
in you var TELNET_SERVERS.  So this rule will *never* trigger on the jet 
direct box *unless* you've included its IP in the var, no matter what you 
suppress.  Since you stated "with an ip in the var", I assume that means 
the jet direct's ip is not in the var?  Based on your response, that you 
changed the var from a single IP to $HOME_NET, this appears to be what your 
problem was.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list