[Snort-users] Converting pass to suppress rules

Stephen Reese rsreese at ...11827...
Tue Oct 28 10:22:35 EDT 2008


I'm would like to make sure I have a firm grasp on suppression before
utilizing it in production. Here are my proposed changes. I understand
that snort will continue to evaluate a packet even if suppress
statement is fired but I was to make sure that I'm not over utilizing
it. I really wish you could use src and dst or variables with
suppression but I guess that keep them simple.

var HOME_NET [172.31.1.0/24,172.31.2.0/24,172.31.3.0/24,172.31.4.0/24,172.31.5.0/24]
var EXTERNAL_NET any
var ROLAC [172.31.1.0/24]
var 3825ROUTER [172.31.1.1/32]
var DI200 [172.31.1.223/32,172.31.1.240/32]


#Ignore redirects from the main router to the internet router
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Protocol Unreachable"; icode:2; itype:3;
reference:cve,2004-0790; reference:cve,2005-0068;
classtype:misc-activity; sid:404; rev:7;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect
net"; icode:0; itype:5; reference:arachnids,199;
reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:5;)

pass icmp $3825ROUTER any -> $ROLAC any (msg:"ICMP Destination
Unreachable Protocol Unreachable"; icode:2; itype:3; sid:1000000;)
pass icmp $3825ROUTER any -> $ROLAC any (msg:"ICMP redirect net";
icode:0; itype:5; sid:1000001;)

suppress gen_id 1, sig_id 404, track by_src, ip 172.31.1.0/21
suppress gen_id 1, sig_id 473, track by_src, ip 172.31.1.0/21

#Chatty Minolta copiers
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Protocol Unreachable"; icode:2; itype:3;
reference:cve,2004-0790; reference:cve,2005-0068;
classtype:misc-activity; sid:404; rev:7;)

pass icmp $DI200 any -> $3825ROUTER any (msg:"ICMP redirect net";
icode:0; itype:5; sid:1000002;)
pass icmp $DI200 any -> $3825ROUTER any (msg:"ICMP Destination
Unreachable Protocol Unreachable"; icode:2; itype:3; sid:1000003;)

suppress gen_id 1, sig_id 404, track by_src, ip 172.31.1.223
suppress gen_id 1, sig_id 404, track by_src, ip 172.31.1.240
suppress gen_id 1, sig_id 473, track by_src, ip 172.31.1.223
suppress gen_id 1, sig_id 473, track by_src, ip 172.31.1.240

#Who cares if internal hosts are pinging each other
pass icmp $HOME_NET any -> $HOME_NET any (msg:"ICMP Echo Reply";
icode:0; itype:0; sid:1000004;)
pass icmp $HOME_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0;
itype:8; sid:1000005;)

This one I can't figure out because we want to know if a host may be
pinging the outside world for example a flood of ICMP PING packets to
some where outside our 172.31.1.0




More information about the Snort-users mailing list