Snort mailing list archives
Re: Supressing alert
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Mon, 29 Jun 2009 12:24:18 -0600
Hi, When I try this, I get an error message about the rule with the same GID/SID being redefined with a different type. I changed the SID to something in the 1 million range, and Snort loads correctly. I defined this in local.rules: pass tcp 10.0.0.1 any -> 10.0.0.2 any (msg:"ET ATTACK_RESPONSE Adenau Shellcode False Positive"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009249; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:1500000; rev:2;) Is that the best method for ignoring this one specific src/dst pair for this specific detection with Snort? (I don't want Snort to ignore all traffic going between these two machines.) -----Original Message----- From: Shenk, Jerry A [mailto:jshenk () decommunications com] Sent: June 26, 2009 11:34 AM To: Jefferson, Shawn; Snort Users Subject: RE: [Snort-users] Supressing alert No, you can specify source and destination...something like: Var SNMP_MONITORS [192.168.1.1, 192.168.1.2] pass SNMP_MONITORS any -> HOME_NET 161 (msg:"INTERNAL SNMP monitor"; sid:1417; rev:2; classtype:attempted-recon;) Something like that... In this case, the sid refers to the "original rule" that this is an exclusion for. -----Original Message----- From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: Friday, June 26, 2009 1:53 PM To: Snort Users Subject: [Snort-users] Supressing alert Hi, I want to suppress an alert, but only from a specific src to a specific dst. Looking at the documentation for alert suppression, it looks like you can either use track by_src OR by_dst. What's the best way to do this? Thanks, -- Shawn **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Supressing alert Jefferson, Shawn (Jun 26)
- Re: Supressing alert Joel Esler (Jun 26)
- Re: Supressing alert Shenk, Jerry A (Jun 26)
- Re: Supressing alert Jefferson, Shawn (Jun 29)
- Re: Supressing alert Tommie Giles (Jun 26)