[Snort-users] suppressing alert...

Joel Esler jesler at ...1935...
Wed Sep 22 12:14:47 EDT 2010


For the first part of your question, I prefer to do one IP per line.  That
way if I need to remove a line, I can grep for the IP, mash "dd" in vi, save
the file, and bump Snort.

As for the second part of your question, I don't know if it's a bug, and I
don't have the time right this second to test to see if I get the same
result.  Maybe someone else can test and if they can replicate it, we can
file a bug to take a look.

J

On Wed, Sep 22, 2010 at 12:07 PM, waldo kitty <wkitty42 at ...14940...>wrote:

>
> no one has any comment on this??
>
>
> On 9/17/2010 14:39, waldo kitty wrote:
> >
> > if you have more than one IP that you want to suppress an alert for, is
> it
> > better to use multiple lines or list all the addresses (and CIDRs) on one
> line?
> >
> > example 1:
> > suppress gen_id 1, sig_id 1, track by_src, ip 1.1.1.1
> > suppress gen_id 1, sig_id 1, track by_src, ip 2.2.2.2
> >
> >
> > example 2:
> > suppress gen_id 1, sig_id 1, track by_src, ip [1.1.1.1,2.2.2.2]
> >
> >
> > i'm undecided and tend to lean more toward example 1 mainly due to the
> > manageability aspects... consider a large list of IPs and trying to
> locate and
> > remove just one...
> >
> >
> > in using the example 1 format, i note that snort 2.8.6.1 shows two
> suppression
> > lines exactly the same but displays "<list>" for the IPs instead of
> listing the
> > actual IPs and/or CIDRs given...
> >
> > [quote]
> > Sep 17 14:02:50 perseus snort[14304]:
> >
> +-----------------------[suppression]------------------------------------------
> > Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
> > tracking=src-ip=<list>
> > Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
> > tracking=src-ip=<list>
> > Sep 17 14:02:50 perseus snort[14304]:
> >
> -------------------------------------------------------------------------------
> > [/quote]
> >
> > using the example 2 format gets one line but still displays "<list>"
> instead of
> > the actual IPs and/or CIDRs...
> >
> > BUG??
>
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100922/58947cda/attachment.html>


More information about the Snort-users mailing list