[Snort-users] suppressing alert...

Alex Tatistcheff alext at ...492...
Wed Sep 22 22:38:31 EDT 2010


On Wed, Sep 22, 2010 at 2:22 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 9/22/2010 12:14, Joel Esler wrote:
> > For the first part of your question, I prefer to do one IP per line.
>  That way
> > if I need to remove a line, I can grep for the IP, mash "dd" in vi, save
> the
> > file, and bump Snort.
>
> thanks... that is one of my thoughts... it also makes it easier to automate
> for
> a GUI interface package...
>
> > As for the second part of your question, I don't know if it's a bug, and
> I don't
> > have the time right this second to test to see if I get the same result.
>  Maybe
> > someone else can test and if they can replicate it, we can file a bug to
> take a
> > look.
>
> ok... thanks! ;)
>
> >
> > J
> >
> > On Wed, Sep 22, 2010 at 12:07 PM, waldo kitty <wkitty42 at ...14940...
> > <mailto:wkitty42 at ...14940...>> wrote:
> >
> >
> >     no one has any comment on this??
> >
> >
> >     On 9/17/2010 14:39, waldo kitty wrote:
> >      >
> >      > if you have more than one IP that you want to suppress an alert
> for, is it
> >      > better to use multiple lines or list all the addresses (and CIDRs)
> on one
> >     line?
> >      >
> >      > example 1:
> >      > suppress gen_id 1, sig_id 1, track by_src, ip 1.1.1.1
> >      > suppress gen_id 1, sig_id 1, track by_src, ip 2.2.2.2
> >      >
> >      >
> >      > example 2:
> >      > suppress gen_id 1, sig_id 1, track by_src, ip [1.1.1.1,2.2.2.2]
> >      >
> >      >
> >      > i'm undecided and tend to lean more toward example 1 mainly due to
> the
> >      > manageability aspects... consider a large list of IPs and trying
> to
> >     locate and
> >      > remove just one...
> >      >
> >      >
> >      > in using the example 1 format, i note that snort 2.8.6.1 shows two
> >     suppression
> >      > lines exactly the same but displays "<list>" for the IPs instead
> of
> >     listing the
> >      > actual IPs and/or CIDRs given...
> >      >
> >      > [quote]
> >      > Sep 17 14:02:50 perseus snort[14304]:
> >      >
> >
> +-----------------------[suppression]------------------------------------------
> >      > Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
> >      > tracking=src-ip=<list>
> >      > Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
> >      > tracking=src-ip=<list>
> >      > Sep 17 14:02:50 perseus snort[14304]:
> >      >
> >
> -------------------------------------------------------------------------------
> >      > [/quote]
> >      >
> >      > using the example 2 format gets one line but still displays
> "<list>"
> >     instead of
> >      > the actual IPs and/or CIDRs...
> >      >
> >      > BUG??
>
>
>
> ------------------------------------------------------------------------------
>


Bug or no bug, I get the same result.

threshold.conf
suppress gen_id 1, sig_id 1, track by_src, ip 10.1.1.1
suppress gen_id 1, sig_id 1, track by_src, ip 10.1.1.2


snort output:
Sep 22 22:30:57 Snortbox snort[4750]:
+-----------------------[suppression]------------------------------------------
Sep 22 22:30:57 Snortbox snort[4750]: | gen-id=1      sig-id=1
tracking=src-ip=<list>
Sep 22 22:30:57 Snortbox snort[4750]: | gen-id=1      sig-id=1
tracking=src-ip=<list>
Sep 22 22:30:57 Snortbox snort[4750]:
-------------------------------------------------------------------------------

[root at ...14988... snort]# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6 (Build 38) inline
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.9 2009-04-11
           Using ZLIB version: 1.2.3



Alex Tatistcheff
alext at ...492...

The most terrifying words in the English language are, "I'm from the
government and I'm here to help." -Ronald Reagan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100922/2d59d703/attachment.html>


More information about the Snort-users mailing list