[Snort-users] Suppress not suppresing all alerts for specific gen_id, only a few.

James Lay jlay at ...13475...
Wed Jun 12 10:13:33 EDT 2013


Quick workaround, threshold them out:

suppress gen_id 138, sig_id 5

James
On Jun 12, 2013, at 7:46 AM, Agus <agus.262 at ...11827...> wrote:

> Hi guys,
> 
> Here are the tests... any help is appreciated.
> 
> snort -V
> 
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4.6 GRE (Build 73) 
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.3.0
>            Using PCRE version: 6.6 06-Feb-2006
>            Using ZLIB version: 1.2.3
> 
> 
> +-----------------------[filtered events]--------------------------------------
> | gen-id=1      sig-id=2014726    type=Limit     tracking=src count=1   seconds=60  filtered=4
> | gen-id=119    sig-id=31         type=Suppress  tracking=none filtered=54
> | gen-id=119    sig-id=19         type=Suppress  tracking=none filtered=337
> | gen-id=119    sig-id=32         type=Suppress  tracking=none filtered=69
> | gen-id=120    sig-id=8          type=Suppress  tracking=none filtered=129
> | gen-id=120    sig-id=6          type=Suppress  tracking=none filtered=18
> | gen-id=120    sig-id=3          type=Suppress  tracking=none filtered=114
> Snort exiting
> [snort01 snort]# cat alert|grep "138:5"|wc -l
> 492
> [snort01 snort]# rm alert
> 
> 
> Now i apply the suppress
> 
> +-----------------------[filtered events]--------------------------------------
> | gen-id=1      sig-id=2014726    type=Limit     tracking=src count=1   seconds=60  filtered=4
> | gen-id=119    sig-id=32         type=Suppress  tracking=none filtered=69
> | gen-id=119    sig-id=19         type=Suppress  tracking=none filtered=337
> | gen-id=119    sig-id=31         type=Suppress  tracking=none filtered=54
> | gen-id=120    sig-id=6          type=Suppress  tracking=none filtered=18
> | gen-id=120    sig-id=3          type=Suppress  tracking=none filtered=114
> | gen-id=120    sig-id=8          type=Suppress  tracking=none filtered=129
> | gen-id=138    sig-id=5          type=Suppress  tracking=none filtered=419
> Snort exiting
> [snort01 snort]# cat alert|grep "138:5"|wc -l
> 63
> 
> 
> Also its worth mentioning that all alerts regarding
> [**] [138:5:1] SENSITIVE-DATA Email Addresses [**] are all false positives as information shown in the pcap is encrypted.
> 
> Thanks!
> 
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
> 
> Build for Windows Store.
> 
> http://p.sf.net/sfu/windows-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130612/3875119c/attachment.html>


More information about the Snort-users mailing list