Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Suppression question

From: Jeremy Hoel <jthoel () gmail com>
Date: Wed, 29 May 2013 21:24:04 +0000
But doing this your way would suppress more then just the two way traffic.

IE:  if he wanted to suppress 1.2.3.4  <->  5.6.7.8   with your rules,
it would also suppress 1.2.3.4 <->  10.11.12.13



On Wed, May 29, 2013 at 9:19 PM, Mike Hale <eyeronic.design () gmail com> wrote:

You could use threshold configuration for this.

I'm using something like this in threshold.conf:

#Suppress Stuff for Websense box
suppress gen_id 1, sig_id 2015561, track by_dst, ip 1.2.3.4

You have to make sure you get the dst and src IPs right...some rules
seem to trip them differently.  To be safe, you can always duplicate
the rules and interchange the source and destination IPs.

#Suppress Stuff for Websense box
suppress gen_id 1, sig_id 2015561, track by_dst, ip 1.2.3.4
suppress gen_id 1, sig_id 2015561, track by_src, ip 2.3.4.5

On Wed, May 29, 2013 at 1:32 PM, Jeremy Hoel <jthoel () gmail com> wrote:

You could write a local.rules rule to allow the traffic between the
two hosts on that port (copy the rule that's hitting, change to pass
and change the IPs) or you could do a BPF filter for that traffic.

I myself like the local.rules option, so that if it hits on another
rule, or different type of traffic you won't miss it like you would
with the BPF.


On Wed, May 29, 2013 at 1:27 PM, SnortFan <SnortFan () yahoo com> wrote:

Hi All,
     I know you can suppress a rule by either source or destination ip, but is there a way to suppress a rule from 
a known ip to another known ip? On one sensor I'm getting a excessive amount of hits on one preprocessor rule from 
a specific ip going to another specific ip.  I still want this rule to trigger but just not on this case from ip A 
to ip B.

Thanks.

Sent from a mobile device.
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: