[Snort-users] Suppress not suppresing all alerts for specific gen_id, only a few.

Agus agus.262 at ...11827...
Wed Jun 12 10:59:51 EDT 2013


Thanks guys..

James: that's what i did in between the tests as it shows in the output.
But still receiving some alerts on that gen_id.. Fewer, but still some.
thats what i dont understand.

Joel: Yes. i will probably end up disabling the preprocessor for that. but
just dont understand why suppress doesn't supress all alerts on same gen_id
if put in threshold.conf :S

I will try to test another preprocessor to see if it has the same issue.


2013/6/12 Joel Esler <jesler at ...1935...>

> Why don you just turn off the alert in the snort.conf?
>
> --
> *Joel Esler*
>
> On Jun 12, 2013, at 9:46 AM, Agus <agus.262 at ...11827...> wrote:
>
> Hi guys,
>
> Here are the tests... any help is appreciated.
>
> snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4.6 GRE (Build 73)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.3.0
>            Using PCRE version: 6.6 06-Feb-2006
>            Using ZLIB version: 1.2.3
>
>
> +-----------------------[filtered
> events]--------------------------------------
> | gen-id=1      sig-id=2014726    type=Limit     tracking=src count=1
> seconds=60  filtered=4
> | gen-id=119    sig-id=31         type=Suppress  tracking=none filtered=54
> | gen-id=119    sig-id=19         type=Suppress  tracking=none filtered=337
> | gen-id=119    sig-id=32         type=Suppress  tracking=none filtered=69
> | gen-id=120    sig-id=8          type=Suppress  tracking=none filtered=129
> | gen-id=120    sig-id=6          type=Suppress  tracking=none filtered=18
> | gen-id=120    sig-id=3          type=Suppress  tracking=none filtered=114
> Snort exiting
> [snort01 snort]# cat alert|grep "138:5"|wc -l
> 492
> [snort01 snort]# rm alert
>
>
> Now i apply the suppress
>
> +-----------------------[filtered
> events]--------------------------------------
> | gen-id=1      sig-id=2014726    type=Limit     tracking=src count=1
> seconds=60  filtered=4
> | gen-id=119    sig-id=32         type=Suppress  tracking=none filtered=69
> | gen-id=119    sig-id=19         type=Suppress  tracking=none filtered=337
> | gen-id=119    sig-id=31         type=Suppress  tracking=none filtered=54
> | gen-id=120    sig-id=6          type=Suppress  tracking=none filtered=18
> | gen-id=120    sig-id=3          type=Suppress  tracking=none filtered=114
> | gen-id=120    sig-id=8          type=Suppress  tracking=none filtered=129
> | gen-id=138    sig-id=5          type=Suppress  tracking=none filtered=419
> Snort exiting
> [snort01 snort]# cat alert|grep "138:5"|wc -l
> 63
>
>
> Also its worth mentioning that all alerts regarding
> [**] [138:5:1] SENSITIVE-DATA Email Addresses [**] are all false positives
> as information shown in the pcap is encrypted.
>
> Thanks!
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130612/7adcbe99/attachment.html>


More information about the Snort-users mailing list