[Snort-users] Suppress not suppresing all alerts for specific gen_id, only a few.

Agus agus.262 at ...11827...
Thu Jun 13 10:33:10 EDT 2013


I ended up adding sensitive-data.preproc to ignore in PP

Cheers


2013/6/12 Agus <agus.262 at ...11827...>

> Thanks guys..
>
> James: that's what i did in between the tests as it shows in the output.
> But still receiving some alerts on that gen_id.. Fewer, but still some.
> thats what i dont understand.
>
> Joel: Yes. i will probably end up disabling the preprocessor for that. but
> just dont understand why suppress doesn't supress all alerts on same gen_id
> if put in threshold.conf :S
>
> I will try to test another preprocessor to see if it has the same issue.
>
>
> 2013/6/12 Joel Esler <jesler at ...1935...>
>
>> Why don you just turn off the alert in the snort.conf?
>>
>> --
>> *Joel Esler*
>>
>> On Jun 12, 2013, at 9:46 AM, Agus <agus.262 at ...11827...> wrote:
>>
>> Hi guys,
>>
>> Here are the tests... any help is appreciated.
>>
>> snort -V
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.4.6 GRE (Build 73)
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/snort/snort-team
>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>            Using libpcap version 1.3.0
>>            Using PCRE version: 6.6 06-Feb-2006
>>            Using ZLIB version: 1.2.3
>>
>>
>> +-----------------------[filtered
>> events]--------------------------------------
>> | gen-id=1      sig-id=2014726    type=Limit     tracking=src count=1
>> seconds=60  filtered=4
>> | gen-id=119    sig-id=31         type=Suppress  tracking=none filtered=54
>> | gen-id=119    sig-id=19         type=Suppress  tracking=none
>> filtered=337
>> | gen-id=119    sig-id=32         type=Suppress  tracking=none filtered=69
>> | gen-id=120    sig-id=8          type=Suppress  tracking=none
>> filtered=129
>> | gen-id=120    sig-id=6          type=Suppress  tracking=none filtered=18
>> | gen-id=120    sig-id=3          type=Suppress  tracking=none
>> filtered=114
>> Snort exiting
>> [snort01 snort]# cat alert|grep "138:5"|wc -l
>> 492
>> [snort01 snort]# rm alert
>>
>>
>> Now i apply the suppress
>>
>> +-----------------------[filtered
>> events]--------------------------------------
>> | gen-id=1      sig-id=2014726    type=Limit     tracking=src count=1
>> seconds=60  filtered=4
>> | gen-id=119    sig-id=32         type=Suppress  tracking=none filtered=69
>> | gen-id=119    sig-id=19         type=Suppress  tracking=none
>> filtered=337
>> | gen-id=119    sig-id=31         type=Suppress  tracking=none filtered=54
>> | gen-id=120    sig-id=6          type=Suppress  tracking=none filtered=18
>> | gen-id=120    sig-id=3          type=Suppress  tracking=none
>> filtered=114
>> | gen-id=120    sig-id=8          type=Suppress  tracking=none
>> filtered=129
>> | gen-id=138    sig-id=5          type=Suppress  tracking=none
>> filtered=419
>> Snort exiting
>> [snort01 snort]# cat alert|grep "138:5"|wc -l
>> 63
>>
>>
>> Also its worth mentioning that all alerts regarding
>> [**] [138:5:1] SENSITIVE-DATA Email Addresses [**] are all false
>> positives as information shown in the pcap is encrypted.
>>
>> Thanks!
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130613/7fb087c2/attachment.html>


More information about the Snort-users mailing list