[Snort-users] Suppressing the SCAN UPnP service alerts

basant subba basantsubba at ...11827...
Wed Jun 25 14:33:20 EDT 2014

Thanks Waldo that was very helpful. I am using oinkmaster to update my
rules. I didn't know I could disable a particular signature using
disablesid section of oinkmaster.conf file. Thanks for letting us know.

On Wed, Jun 25, 2014 at 10:38 PM, waldo kitty <wkitty42 at ...14940...>

> On 6/25/2014 2:14 AM, basant subba wrote:
> > When I run snort, I get  a lot of "SCAN UPnP service discover attempt"
> alerts
> > with SID 1917? How do I suppress this alert? Which .rules file contains
> the
> > signature corresponding to this alarm? Also is it something I should
> keep track of?
> do you want to suppress it or stop it? suppressing means that it is still
> processed (unless i'm misunderstanding something) but the action (alert,
> drop,
> etc) is not performed... stopping it means disabling it...
> finding a rule is as easy as using a text search tool like grep... this is
> a
> script i use on my boxen...
> $ cat lookuprule
> #! /bin/bash
> # lookuprule bash script to find snort rules by sid
> grep -i -E "sid:\W*$1;" /path/to/snort/*rules*/*.rules
> use it like ./lookuprule 1917
> it searches all rules directories under /path/to/snort and all the rules
> files
> in those directories...
> a manually typed command line would be
> grep -i -E "sid:\W*1917;" /path/to/snort/*rules*/*.rules
> once you find the rule file's name, then edit it to comment out (#) that
> rule...
> if you use tools like oinkmaster and pulledpork, they have a disablesid
> section
> where you list the SIDs of the rules you do not want active. they will
> ensure
> that these rules are always inactive when you use them to update your
> rules...
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140626/4cd6ce4a/attachment.html>

More information about the Snort-users mailing list