[Snort-users] Suppressing alerts doesn´t work

Jiří Červenka cervenka at ...13126...
Fri Mar 4 03:07:10 EST 2005


Hello,
I´m trying tu suppress a few alerts. I have inserted these values into 
threshold.conf a include it in snort conf:

suppress gen_id 122, sig_id 27
suppress gen_id 122, sig_id 3:
suppress gen_id 119, sig_id 7

Then I have restarted snort. Here is the daemeon.log:

Mar  4 09:15:27 gate snort: Initializing daemon mode
Mar  4 09:15:27 gate snort: PID path stat checked out ok, PID path set 
to /var/run/
Mar  4 09:15:27 gate snort: Writing PID "759" to file 
"/var/run//snort_eth1.pid"
Mar  4 09:15:27 gate snort: Parsing Rules file /etc/snort/snort.conf
Mar  4 09:15:27 gate snort: ,-----------[Flow Config]----------------------
Mar  4 09:15:27 gate snort: | Stats Interval:  0
Mar  4 09:15:27 gate snort: | Hash Method:     2
Mar  4 09:15:27 gate snort: | Memcap:          10485760
Mar  4 09:15:27 gate snort: | Rows  :          4099
Mar  4 09:15:27 gate snort: | Overhead Bytes:  16400(%0.16)
Mar  4 09:15:27 gate snort: `----------------------------------------------
Mar  4 09:15:27 gate snort: HttpInspect Config:
Mar  4 09:15:27 gate snort:     GLOBAL CONFIG
Mar  4 09:15:27 gate snort:       Max Pipeline Requests:    0
Mar  4 09:15:27 gate snort:       Inspection Type:          STATELESS
Mar  4 09:15:27 gate snort:       Detect Proxy Usage:       NO
Mar  4 09:15:27 gate snort:       IIS Unicode Map Filename: 
/etc/snort/unicode.map
Mar  4 09:15:27 gate snort:       IIS Unicode Map Codepage: 1252
Mar  4 09:15:27 gate snort:     DEFAULT SERVER CONFIG:
Mar  4 09:15:27 gate snort:       Ports: 80 8080 8180
Mar  4 09:15:27 gate snort:       Flow Depth: 300
Mar  4 09:15:27 gate snort:       Max Chunk Length: 500000
Mar  4 09:15:27 gate snort:       Inspect Pipeline Requests: YES
Mar  4 09:15:27 gate snort:       URI Discovery Strict Mode: NO
Mar  4 09:15:27 gate snort:       Allow Proxy Usage: NO
Mar  4 09:15:27 gate snort:       Disable Alerting: NO
Mar  4 09:15:27 gate snort:       Oversize Dir Length: 500
Mar  4 09:15:27 gate snort:       Only inspect URI: NO
Mar  4 09:15:27 gate snort:       Ascii: YES alert: NO
Mar  4 09:15:27 gate snort:       Double Decoding: YES alert: YES
Mar  4 09:15:27 gate snort:       %U Encoding: YES alert: YES
Mar  4 09:15:27 gate snort:       Bare Byte: YES alert: YES
Mar  4 09:15:27 gate snort:       Base36: OFF
Mar  4 09:15:27 gate snort:       UTF 8: OFF
Mar  4 09:15:27 gate snort:       IIS Unicode: YES alert: YES
Mar  4 09:15:27 gate snort:       Multiple Slash: YES alert: NO
Mar  4 09:15:27 gate snort:       IIS Backslash: YES alert: NO
Mar  4 09:15:27 gate snort:       Directory Traversal: YES alert: NO
Mar  4 09:15:27 gate snort:       Web Root Traversal: YES alert: YES
Mar  4 09:15:27 gate snort:       Apache WhiteSpace: YES alert: NO
Mar  4 09:15:27 gate snort:       IIS Delimiter: YES alert: NO
Mar  4 09:15:27 gate snort:       IIS Unicode Map: GLOBAL IIS UNICODE 
MAP CONFIG
Mar  4 09:15:27 gate snort:       Non-RFC Compliant Characters: NONE
Mar  4 09:15:27 gate snort: rpc_decode arguments:
Mar  4 09:15:27 gate snort:     Ports to decode RPC on: 111 32771
Mar  4 09:15:27 gate snort:     alert_fragments: INACTIVE
Mar  4 09:15:27 gate snort:     alert_large_fragments: ACTIVE
Mar  4 09:15:27 gate snort:     alert_incomplete: ACTIVE
Mar  4 09:15:27 gate snort:     alert_multiple_requests: ACTIVE
Mar  4 09:15:27 gate snort: telnet_decode arguments:
Mar  4 09:15:27 gate snort:     Ports to decode telnet on: 21 23 25 119
Mar  4 09:15:27 gate snort: Portscan Detection Config:
Mar  4 09:15:27 gate snort:     Detect Protocols:  TCP UDP ICMP IP
Mar  4 09:15:27 gate snort:     Detect Scan Type:  portscan portsweep 
decoy_portscan distributed_portscan
Mar  4 09:15:27 gate snort:     Sensitivity Level: Low
Mar  4 09:15:27 gate snort:     Memcap (in bytes): 10000000
Mar  4 09:15:27 gate snort:     Number of Nodes:   36900
Mar  4 09:15:27 gate snort:
Mar  4 09:15:28 gate snort: Warning: flowbits key 
'tls1.client_hello.request' is checked but not ever set.
Mar  4 09:15:28 gate snort: Warning: flowbits key 
'smb.tree.create.llsrpc' is set but not ever checked.
Mar  4 09:15:28 gate snort: Warning: flowbits key 'realplayer.playlist' 
is checked but not ever set.
Mar  4 09:15:28 gate snort:
Mar  4 09:15:28 gate snort: 
+-----------------------[thresholding-config]----------------------------------
Mar  4 09:15:28 gate snort: | memory-cap : 1048576 bytes
Mar  4 09:15:28 gate snort: 
+-----------------------[thresholding-global]----------------------------------
Mar  4 09:15:28 gate snort: | none
Mar  4 09:15:28 gate snort: 
+-----------------------[thresholding-local]-----------------------------------
Mar  4 09:15:28 gate snort: | gen-id=1      sig-id=2523       
type=Both      tracking=dst count=10  seconds=10
Mar  4 09:15:28 gate snort: | gen-id=1      sig-id=2494       
type=Both      tracking=dst count=20  seconds=60
Mar  4 09:15:28 gate snort: | gen-id=1      sig-id=2924       
type=Threshold tracking=dst count=10  seconds=60
Mar  4 09:15:28 gate snort: | gen-id=1      sig-id=2495       
type=Both      tracking=dst count=20  seconds=60
Mar  4 09:15:28 gate snort: | gen-id=1      sig-id=2923       
type=Threshold tracking=dst count=10  seconds=60
Mar  4 09:15:28 gate snort: | gen-id=1      sig-id=2496       
type=Both      tracking=dst count=20  seconds=60
Mar  4 09:15:28 gate snort: | gen-id=1      sig-id=2275       
type=Threshold tracking=dst count=5   seconds=60
Mar  4 09:15:28 gate snort: 
+-----------------------[suppression]------------------------------------------
Mar  4 09:15:28 gate snort: | gen-id=119    sig-id=7          
tracking=dstip=0.0.0.0           mask=0.0.0.0
Mar  4 09:15:28 gate snort: | gen-id=122    sig-id=3          
tracking=dstip=0.0.0.0           mask=0.0.0.0
Mar  4 09:15:28 gate snort: | gen-id=122    sig-id=27         
tracking=dstip=0.0.0.0           mask=0.0.0.0
Mar  4 09:15:28 gate snort: 
+------------------------------------------------------------------------------
Mar  4 09:15:28 gate snort: Rule application order: 
->pass->activation->dynamic->alert->log
Mar  4 09:15:28 gate snort: Log directory = /var/log/snort
Mar  4 09:15:28 gate snort: Snort initialization completed successfully 
(pid=759)
Mar  4 09:15:31 gate snort: Final Flow Statistics
Mar  4 09:15:31 gate snort: Snort exiting

But the suppressed gen_ids and sig_ids are still caught by snort.
What is wrong ?

Thanks for any help.




More information about the Snort-users mailing list