Re: Suppression vs Disablesid

[Johnny Venter <johnny.venter () zoho com>]

Hi YM, thanks for the clarification. So this file is *not* referenced in snort.conf, it's part of the pullepork.conf.

I updated the disablesid.conf file with the following line to disable the sensitive-data category: 

sensitive-data

This leads me to my next question, but I will provide some background first to "set the stage".  This particular snort 
sensor monitors traffic to/from the Internet from my LAN. I get an enormous amount of preprocessor alerts, so much that 
it makes it very difficult to weed through the alerts and find valid/action ones.  For example this is a sampling of my 
total alerts from yesterday:

sensitive_data: sensitive data - eMail addresses        66356
sensitive_data: sensitive data global threshold exceeded        49972
http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE 24828
http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS 8100
stream5: Limit on number of overlapping TCP packets reached     6968

A lot of the sensitive-data and stream5 alerts are false positives.  As this is internet traffic, I don't think that 
http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE is applicable. With this in mind, I've updated my 
snort.conf to suppress a lot of alerts:

suppress gen_id 119, sig_id 15
suppress gen_id 119, sig_id 28
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 120, sig_id 7
suppress gen_id 120, sig_id 8
suppress gen_id 129, sig_id 12
suppress gen_id 129, sig_id 14
suppress gen_id 129, sig_id 3….. (more of the same)

For those of you that have run into this, what are your suggestions: (1) create your own sensitive-data rules specific 
to your environment (2) keep the alerts suppressed (3) tune the preprocessor config somehow (4) something else??

Thanks.

On Sep 27, 2013, at 8:35 AM, Y M <snort () outlook com> wrote:

> Hi Johnny,
>  
> The disablesid.conf is part of PulledPork that processes the rules tabrball for you. Once you specify the rules you 
> want to disable in the disablesid.conf, PulledPork will use this file to disable the rules specified in the 
> disablesid.conf  to disable them. This way you get the rules disabled automatically by PulledPork everytime you 
> update your rules.
>  
> Hope this helps.
> YM
>  
> > From: johnny.venter () zoho com
> > Date: Fri, 27 Sep 2013 08:15:44 -0400
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Suppression vs Disablesid
> >
> > Hello,
> >
> > I have a question regarding suppression vs disablesid.conf. I know that the packet is still processed with 
> > suppression, so cpu/mem/hd/net resources are still used. I would like to try using the disablesid.conf file, but do 
> > not know where to create it. I figure it's arbitrary, so my other question is: where in the snort.conf file do I 
> > reference the disablesid.conf?
> >
> > Thanks.
> >
> > ------------------------------------------------------------------------------
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> > the latest Intel processors and coprocessors. See abstracts and register >
> > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!