[Snort-users] Suppressing the SCAN UPnP service alerts
wkitty42 at ...14940...
Wed Jun 25 13:08:34 EDT 2014
On 6/25/2014 2:14 AM, basant subba wrote:
> When I run snort, I get a lot of "SCAN UPnP service discover attempt" alerts
> with SID 1917? How do I suppress this alert? Which .rules file contains the
> signature corresponding to this alarm? Also is it something I should keep track of?
do you want to suppress it or stop it? suppressing means that it is still
processed (unless i'm misunderstanding something) but the action (alert, drop,
etc) is not performed... stopping it means disabling it...
finding a rule is as easy as using a text search tool like grep... this is a
script i use on my boxen...
$ cat lookuprule
# lookuprule bash script to find snort rules by sid
grep -i -E "sid:\W*$1;" /path/to/snort/*rules*/*.rules
use it like ./lookuprule 1917
it searches all rules directories under /path/to/snort and all the rules files
in those directories...
a manually typed command line would be
grep -i -E "sid:\W*1917;" /path/to/snort/*rules*/*.rules
once you find the rule file's name, then edit it to comment out (#) that rule...
if you use tools like oinkmaster and pulledpork, they have a disablesid section
where you list the SIDs of the rules you do not want active. they will ensure
that these rules are always inactive when you use them to update your rules...
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users