Snort mailing list archives
Suppression configuration reading IP address backwards?
From: Martin McKeay <mmckeay () yahoo com>
Date: Thu, 8 Jan 2004 07:50:08 -0800 (PST)
Good morning, At the suggestion of Chris Kelidas, who was trying to help me filter out some of the excessive alerts I was seeing due the http_inspect, I tried implementing the event suppression, and having a really hard time of it. This morning I ran Snort without using the daemon mode for the first time and really looked at the output. It appears to me that the event suppression commands are reading the IP address in reverse! Is this just my particular configuration (Snort 2.1.0, on Solaris 9.0) or is this a problem others have been seeing? Here is the relevant part of my snort.conf: # suppression rules for the mangled IP traffic to the Proxy servers suppress gen_id 116, sig_id 54, track by_dst, ip 10.4.1.45/32 suppress gen_id 116, sig_id 54, track by_dst, ip 10.4.1.46/32 suppress gen_id 116, sig_id 55, track by_dst, ip 10.4.1.45/32 suppress gen_id 116, sig_id 56, track by_dst, ip 10.4.1.46/32 # Suppression rules for mangeled HTTP traffic from the Proxy Servers suppress gen_id 119, sig_id 13, track by_src, ip 10.0.0.0/8 suppress gen_id 119, sig_id 13, track by_src, ip 10.0.0.0/8 suppress gen_id 119, sig_id 1, track by_src, ip 10.0.0.0/8 suppress gen_id 119, sig_id 1, track by_src, ip 10.0.0.0/8 And here is the relevant portion of the Snort initialization using this config. +-----------------------[suppression]------------------------------------------ | gen-id=116 sig-id=55 tracking=dst ip=45.1.4.10 mask=255.255.255.255 | gen-id=116 sig-id=56 tracking=dst ip=46.1.4.10 mask=255.255.255.255 | gen-id=116 sig-id=54 tracking=dst ip=45.1.4.10 mask=255.255.255.255 | gen-id=116 sig-id=54 tracking=dst ip=46.1.4.10 mask=255.255.255.255 | gen-id=119 sig-id=13 tracking=src ip=0.0.0.10 mask=0.0.0.255 | gen-id=119 sig-id=13 tracking=src ip=0.0.0.10 mask=0.0.0.255 | gen-id=119 sig-id=1 tracking=src ip=0.0.0.10 mask=0.0.0.255 | gen-id=119 sig-id=1 tracking=src ip=0.0.0.10 mask=0.0.0.255 My next experiment will be to try entering the IP's in reverse and seeing if that fixes the issue. Much fun to be had by all! Martin McKeay ===== Martin McKeay, CISSP, CCNA http://www.mckeay.net 707-529-7701 marty () mckeay net __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Suppression configuration reading IP address backwards? Martin McKeay (Jan 12)