[Snort-users] suppressing alert...

Joel Esler jesler at ...1935...
Wed Sep 22 23:21:04 EDT 2010


Waldo, what version are you running?

On Wednesday, September 22, 2010, Alex Tatistcheff <alext at ...492...> wrote:
> On Wed, Sep 22, 2010 at 2:22 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>
> On 9/22/2010 12:14, Joel Esler wrote:
>> For the first part of your question, I prefer to do one IP per line.  That way
>> if I need to remove a line, I can grep for the IP, mash "dd" in vi, save the
>> file, and bump Snort.
>
> thanks... that is one of my thoughts... it also makes it easier to automate for
> a GUI interface package...
>
>> As for the second part of your question, I don't know if it's a bug, and I don't
>> have the time right this second to test to see if I get the same result.  Maybe
>> someone else can test and if they can replicate it, we can file a bug to take a
>> look.
>
> ok... thanks! ;)
>
>>
>> J
>>
>> On Wed, Sep 22, 2010 at 12:07 PM, waldo kitty <wkitty42 at ...14940...
>> <mailto:wkitty42 at ...14940...>> wrote:
>>
>>
>>     no one has any comment on this??
>>
>>
>>     On 9/17/2010 14:39, waldo kitty wrote:
>>      >
>>      > if you have more than one IP that you want to suppress an alert for, is it
>>      > better to use multiple lines or list all the addresses (and CIDRs) on one
>>     line?
>>      >
>>      > example 1:
>>      > suppress gen_id 1, sig_id 1, track by_src, ip 1.1.1.1
>>      > suppress gen_id 1, sig_id 1, track by_src, ip 2.2.2.2
>>      >
>>      >
>>      > example 2:
>>      > suppress gen_id 1, sig_id 1, track by_src, ip [1.1.1.1,2.2.2.2]
>>      >
>>      >
>>      > i'm undecided and tend to lean more toward example 1 mainly due to the
>>      > manageability aspects... consider a large list of IPs and trying to
>>     locate and
>>      > remove just one...
>>      >
>>      >
>>      > in using the example 1 format, i note that snort 2.8.6.1 shows two
>>     suppression
>>      > lines exactly the same but displays "<list>" for the IPs instead of
>>     listing the
>>      > actual IPs and/or CIDRs given...
>>      >
>>      > [quote]
>>      > Sep 17 14:02:50 perseus snort[14304]:
>>      >
>>     +-----------------------[suppression]------------------------------------------
>>      > Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
>>      > tracking=src-ip=<list>
>>      > Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
>>      > tracking=src-ip=<list>
>>      > Sep 17 14:02:50 perseus snort[14304]:
>>      >
>>     -------------------------------------------------------------------------------
>>      > [/quote]
>>      >
>>      > using the example 2 format gets one line but still displays "<list>"
>>     instead of
>>      > the actual IPs and/or CIDRs...
>>      >
>>      > BUG??
>
>
> ------------------------------------------------------------------------------
>
>
> Bug or no bug, I get the same result.
>
> threshold.conf
> suppress gen_id 1, sig_id 1, track by_src, ip 10.1.1.1
> suppress gen_id 1, sig_id 1, track by_src, ip 10.1.1.2
>
>
> snort output:
> Sep 22 22:30:57 Snortbox snort[4750]: +-----------------------[suppression]------------------------------------------
> Sep 22 22:30:57 Snortbox snort[4750]: | gen-id=1      sig-id=1          tracking=src-ip=<list>
> Sep 22 22:30:57 Snortbox snort[4750]: | gen-id=1      sig-id=1          tracking=src-ip=<list>
> Sep 22 22:30:57 Snortbox snort[4750]: -------------------------------------------------------------------------------
>
> [root at ...14988... snort]# snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.8.6 (Build 38) inline
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>            Using PCRE version: 7.9 2009-04-11
>            Using ZLIB version: 1.2.3
>
>
> Alex Tatistcheff
> alext at ...492...
>
> The most terrifying words in the English language are, "I'm from the government and I'm here to help." -Ronald Reagan
>
>




More information about the Snort-users mailing list