Snort mailing list archives

Re: threshold.conf global suppression by IP

From: Mitch Gates <MGates () americanbus com>
Date: Mon, 12 Sep 2016 15:25:48 +0000

Thanks YM - the service did start with that syntax, so I'll have to see if it behaves as intended.  Still one issue 
though.. It appears that with a global suppress I have to choose either src or dst, I can't do both?  IE.. I can do 
either:


suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24
<OR>

suppress gen_id 0, sig_id 0, track by_dst, ip 1.1.1.0/24 2.2.2.0/24



And the service will start fine.. If I try:



suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24

suppress gen_id 0, sig_id 0, track by_dst, ip 1.1.1.0/24 2.2.2.0/24



The service will not start.  So does anyone know how to get global suppress on both src/dst?

MITCH GATES | Systems Administrator | American Solutions for Business
Office: 320-334-3535 | Cell: 320-424-0206 | Email: mgates () americanbus com<mailto:mgates () americanbus com>

[cid:image001.png@01D18F13.79A78F70]   [cid:image002.png@01D18F13.79A78F70] <http://home.americanbus.com/>    
[cid:image003.png@01D18F13.79A78F70] <https://www.facebook.com/americanbus>    [cid:image004.png@01D18F13.79A78F70] 
<https://www.linkedin.com/company/american-solutions-for-business>    [cid:image005.png@01D18F13.79A78F70] 
<https://twitter.com/americanbus>    [cid:image006.png@01D18F13.79A78F70] <https://www.youtube.com/user/AmericanASB>    
[cid:image007.png@01D18F13.79A78F70] <http://americanbusblog.com/>

From: Y M [mailto:snort () outlook com]
Sent: Monday, September 12, 2016 10:17 AM
To: Mitch Gates <MGates () americanbus com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] threshold.conf global suppression by IP


Did you try the below syntax?



suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24



Documentation says you can add an <ip-list> , though it is not clear to me how this list should be formatted. Snort 
runs fine with the above syntax but I am not sure if the intended behavior works.



YM

________________________________
From: Mitch Gates <MGates () americanbus com<mailto:MGates () americanbus com>>
Sent: Monday, September 12, 2016 5:46 PM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] threshold.conf global suppression by IP


I am running 2.9.8.3 - here is the syntax I am trying to use, to be specific:



suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24



It seems that if I have one global suppress the service will start and run - if I try to do multiple lines for multiple 
IP addresses it won't start, such as:



suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24

suppress gen_id 0, sig_id 0, track by_src, ip 2.2.2.0/24



Any ideas on how to get this to work with multiple IP addresses?



From: Victor Roemer [mailto:viroemer () cisco com]
Sent: Friday, September 9, 2016 2:38 PM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] threshold.conf global suppression by IP



IIRC gen_id 0, sig_id 0 was added a few years ago. Make sure your running the latest version (2.9.8.3).



On 9/9/16 12:41 PM, Y M wrote:

Hmm, the documentation clearly states that gen_id 0, sig_id 0 can be used with suppress. Can you get exactly what 
causing the service to not run?



I just did a quick test and snort seems to run fine. I put this in my threshold.conf



suppress gen_id 0, sig_id 0



YM

________________________________

From: Mitch Gates <MGates () americanbus com><mailto:MGates () americanbus com>
Sent: Friday, September 9, 2016 7:31 PM
To: Y M
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: RE: [Snort-users] threshold.conf global suppression by IP



When i try to suppress gen_id 0, sig_id 0 snort service will not start







Sent from my Verizon, Samsung Galaxy smartphone



-------- Original message --------

From: Y M <snort () outlook com><mailto:snort () outlook com>

Date: 9/9/16 11:22 AM (GMT-06:00)

To: Mitch Gates <MGates () americanbus com><mailto:MGates () americanbus com>

Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>

Subject: Re: [Snort-users] threshold.conf global suppression by IP



Yes you can set a global filter among all rule types (text, so, etc). To do this, your event_filter should have:



gen_id 0, sig_id 0



If you want to address text rules only, then



gen_id 1, sig_id 0



and so on.



YM

Sent from Mobile





On Fri, Sep 9, 2016 at 7:16 PM +0300, "Mitch Gates" <MGates () americanbus com<mailto:MGates () americanbus com>> wrote:

Is there any way I can suppress events globally from a dst or src ip rather than defining each individual gen id and 
sig id I want to suppress?



------------------------------------------------------------------------------



_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users>

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>



Please visit http://blog.snort.org<http://blog.snort.org> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. http://sdm.link/zohodev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

threshold.conf global suppression by IP Mitch Gates (Sep 09)
- Re: threshold.conf global suppression by IP Y M (Sep 09)
- <Possible follow-ups>
- Re: threshold.conf global suppression by IP Mitch Gates (Sep 09)
  - Re: threshold.conf global suppression by IP Y M (Sep 09)
    - Re: threshold.conf global suppression by IP Victor Roemer (Sep 09)
    - Re: threshold.conf global suppression by IP Mitch Gates (Sep 12)
    - Re: threshold.conf global suppression by IP Y M (Sep 12)
    - Re: threshold.conf global suppression by IP Mitch Gates (Sep 12)
    - Re: threshold.conf global suppression by IP wkitty42 (Sep 12)
    - Re: threshold.conf global suppression by IP Y M (Sep 12)
    - Re: threshold.conf global suppression by IP James Lay (Sep 12)