Snort mailing list archives
Re: Suppression vs Disablesid
From: Johnny Venter <johnny.venter () zoho com>
Date: Fri, 27 Sep 2013 08:52:04 -0400
Hi YM, thanks for the clarification. So this file is *not* referenced in snort.conf, it's part of the pullepork.conf. I updated the disablesid.conf file with the following line to disable the sensitive-data category: sensitive-data This leads me to my next question, but I will provide some background first to "set the stage". This particular snort sensor monitors traffic to/from the Internet from my LAN. I get an enormous amount of preprocessor alerts, so much that it makes it very difficult to weed through the alerts and find valid/action ones. For example this is a sampling of my total alerts from yesterday: sensitive_data: sensitive data - eMail addresses 66356 sensitive_data: sensitive data global threshold exceeded 49972 http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE 24828 http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS 8100 stream5: Limit on number of overlapping TCP packets reached 6968 A lot of the sensitive-data and stream5 alerts are false positives. As this is internet traffic, I don't think that http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE is applicable. With this in mind, I've updated my snort.conf to suppress a lot of alerts: suppress gen_id 119, sig_id 15 suppress gen_id 119, sig_id 28 suppress gen_id 119, sig_id 31 suppress gen_id 119, sig_id 32 suppress gen_id 120, sig_id 7 suppress gen_id 120, sig_id 8 suppress gen_id 129, sig_id 12 suppress gen_id 129, sig_id 14 suppress gen_id 129, sig_id 3….. (more of the same) For those of you that have run into this, what are your suggestions: (1) create your own sensitive-data rules specific to your environment (2) keep the alerts suppressed (3) tune the preprocessor config somehow (4) something else?? Thanks. On Sep 27, 2013, at 8:35 AM, Y M <snort () outlook com> wrote:
Hi Johnny, The disablesid.conf is part of PulledPork that processes the rules tabrball for you. Once you specify the rules you want to disable in the disablesid.conf, PulledPork will use this file to disable the rules specified in the disablesid.conf to disable them. This way you get the rules disabled automatically by PulledPork everytime you update your rules. Hope this helps. YMFrom: johnny.venter () zoho com Date: Fri, 27 Sep 2013 08:15:44 -0400 To: snort-users () lists sourceforge net Subject: [Snort-users] Suppression vs Disablesid Hello, I have a question regarding suppression vs disablesid.conf. I know that the packet is still processed with suppression, so cpu/mem/hd/net resources are still used. I would like to try using the disablesid.conf file, but do not know where to create it. I figure it's arbitrary, so my other question is: where in the snort.conf file do I reference the disablesid.conf? Thanks. ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Suppression vs Disablesid Johnny Venter (Sep 27)
- Re: Suppression vs Disablesid Y M (Sep 27)
- Re: Suppression vs Disablesid Johnny Venter (Sep 27)
- Re: Suppression vs Disablesid Y M (Sep 27)