[Snort-users] Suppression vs Disablesid

Johnny Venter johnny.venter at ...15370...
Fri Sep 27 08:52:04 EDT 2013


Hi YM, thanks for the clarification. So this file is *not* referenced in snort.conf, it's part of the pullepork.conf.

I updated the disablesid.conf file with the following line to disable the sensitive-data category: 

sensitive-data

This leads me to my next question, but I will provide some background first to "set the stage".  This particular snort sensor monitors traffic to/from the Internet from my LAN. I get an enormous amount of preprocessor alerts, so much that it makes it very difficult to weed through the alerts and find valid/action ones.  For example this is a sampling of my total alerts from yesterday:

sensitive_data: sensitive data - eMail addresses	66356
sensitive_data: sensitive data global threshold exceeded	49972
http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE	24828
http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS	8100
stream5: Limit on number of overlapping TCP packets reached	6968

A lot of the sensitive-data and stream5 alerts are false positives.  As this is internet traffic, I don't think that http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE is applicable. With this in mind, I've updated my snort.conf to suppress a lot of alerts:

suppress gen_id 119, sig_id 15
suppress gen_id 119, sig_id 28
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 120, sig_id 7
suppress gen_id 120, sig_id 8
suppress gen_id 129, sig_id 12
suppress gen_id 129, sig_id 14
suppress gen_id 129, sig_id 3….. (more of the same)

For those of you that have run into this, what are your suggestions: (1) create your own sensitive-data rules specific to your environment (2) keep the alerts suppressed (3) tune the preprocessor config somehow (4) something else??

Thanks.

On Sep 27, 2013, at 8:35 AM, Y M <snort at ...15979...> wrote:

> Hi Johnny,
>  
> The disablesid.conf is part of PulledPork that processes the rules tabrball for you. Once you specify the rules you want to disable in the disablesid.conf, PulledPork will use this file to disable the rules specified in the disablesid.conf  to disable them. This way you get the rules disabled automatically by PulledPork everytime you update your rules.
>  
> Hope this helps.
> YM
>  
> > From: johnny.venter at ...15370...
> > Date: Fri, 27 Sep 2013 08:15:44 -0400
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Suppression vs Disablesid
> > 
> > Hello,
> > 
> > I have a question regarding suppression vs disablesid.conf. I know that the packet is still processed with suppression, so cpu/mem/hd/net resources are still used. I would like to try using the disablesid.conf file, but do not know where to create it. I figure it's arbitrary, so my other question is: where in the snort.conf file do I reference the disablesid.conf?
> > 
> > Thanks.
> > 
> > ------------------------------------------------------------------------------
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> > the latest Intel processors and coprocessors. See abstracts and register >
> > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > 
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130927/9a546e12/attachment.html>


More information about the Snort-users mailing list