Snort mailing list archives
Converting pass to suppress rules
From: "Stephen Reese" <rsreese () gmail com>
Date: Tue, 28 Oct 2008 10:22:35 -0400
I'm would like to make sure I have a firm grasp on suppression before utilizing it in production. Here are my proposed changes. I understand that snort will continue to evaluate a packet even if suppress statement is fired but I was to make sure that I'm not over utilizing it. I really wish you could use src and dst or variables with suppression but I guess that keep them simple. var HOME_NET [172.31.1.0/24,172.31.2.0/24,172.31.3.0/24,172.31.4.0/24,172.31.5.0/24] var EXTERNAL_NET any var ROLAC [172.31.1.0/24] var 3825ROUTER [172.31.1.1/32] var DI200 [172.31.1.223/32,172.31.1.240/32] #Ignore redirects from the main router to the internet router #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:404; rev:7;) #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:5;) pass icmp $3825ROUTER any -> $ROLAC any (msg:"ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; sid:1000000;) pass icmp $3825ROUTER any -> $ROLAC any (msg:"ICMP redirect net"; icode:0; itype:5; sid:1000001;) suppress gen_id 1, sig_id 404, track by_src, ip 172.31.1.0/21 suppress gen_id 1, sig_id 473, track by_src, ip 172.31.1.0/21 #Chatty Minolta copiers #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:404; rev:7;) pass icmp $DI200 any -> $3825ROUTER any (msg:"ICMP redirect net"; icode:0; itype:5; sid:1000002;) pass icmp $DI200 any -> $3825ROUTER any (msg:"ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; sid:1000003;) suppress gen_id 1, sig_id 404, track by_src, ip 172.31.1.223 suppress gen_id 1, sig_id 404, track by_src, ip 172.31.1.240 suppress gen_id 1, sig_id 473, track by_src, ip 172.31.1.223 suppress gen_id 1, sig_id 473, track by_src, ip 172.31.1.240 #Who cares if internal hosts are pinging each other pass icmp $HOME_NET any -> $HOME_NET any (msg:"ICMP Echo Reply"; icode:0; itype:0; sid:1000004;) pass icmp $HOME_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0; itype:8; sid:1000005;) This one I can't figure out because we want to know if a host may be pinging the outside world for example a flood of ICMP PING packets to some where outside our 172.31.1.0 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Converting pass to suppress rules Stephen Reese (Oct 28)