[Snort-users] suppressing alert...

waldo kitty wkitty42 at ...14940...
Wed Sep 22 14:22:51 EDT 2010


On 9/22/2010 12:14, Joel Esler wrote:
> For the first part of your question, I prefer to do one IP per line.  That way
> if I need to remove a line, I can grep for the IP, mash "dd" in vi, save the
> file, and bump Snort.

thanks... that is one of my thoughts... it also makes it easier to automate for 
a GUI interface package...

> As for the second part of your question, I don't know if it's a bug, and I don't
> have the time right this second to test to see if I get the same result.  Maybe
> someone else can test and if they can replicate it, we can file a bug to take a
> look.

ok... thanks! ;)

>
> J
>
> On Wed, Sep 22, 2010 at 12:07 PM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>
>
>     no one has any comment on this??
>
>
>     On 9/17/2010 14:39, waldo kitty wrote:
>      >
>      > if you have more than one IP that you want to suppress an alert for, is it
>      > better to use multiple lines or list all the addresses (and CIDRs) on one
>     line?
>      >
>      > example 1:
>      > suppress gen_id 1, sig_id 1, track by_src, ip 1.1.1.1
>      > suppress gen_id 1, sig_id 1, track by_src, ip 2.2.2.2
>      >
>      >
>      > example 2:
>      > suppress gen_id 1, sig_id 1, track by_src, ip [1.1.1.1,2.2.2.2]
>      >
>      >
>      > i'm undecided and tend to lean more toward example 1 mainly due to the
>      > manageability aspects... consider a large list of IPs and trying to
>     locate and
>      > remove just one...
>      >
>      >
>      > in using the example 1 format, i note that snort 2.8.6.1 shows two
>     suppression
>      > lines exactly the same but displays "<list>" for the IPs instead of
>     listing the
>      > actual IPs and/or CIDRs given...
>      >
>      > [quote]
>      > Sep 17 14:02:50 perseus snort[14304]:
>      >
>     +-----------------------[suppression]------------------------------------------
>      > Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
>      > tracking=src-ip=<list>
>      > Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
>      > tracking=src-ip=<list>
>      > Sep 17 14:02:50 perseus snort[14304]:
>      >
>     -------------------------------------------------------------------------------
>      > [/quote]
>      >
>      > using the example 2 format gets one line but still displays "<list>"
>     instead of
>      > the actual IPs and/or CIDRs...
>      >
>      > BUG??





More information about the Snort-users mailing list