Snort mailing list archives
Re: threshold.conf global suppression by IP
From: Mitch Gates <MGates () americanbus com>
Date: Mon, 12 Sep 2016 15:25:48 +0000
Thanks YM - the service did start with that syntax, so I'll have to see if it behaves as intended. Still one issue though.. It appears that with a global suppress I have to choose either src or dst, I can't do both? IE.. I can do either: suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24 <OR> suppress gen_id 0, sig_id 0, track by_dst, ip 1.1.1.0/24 2.2.2.0/24 And the service will start fine.. If I try: suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24 suppress gen_id 0, sig_id 0, track by_dst, ip 1.1.1.0/24 2.2.2.0/24 The service will not start. So does anyone know how to get global suppress on both src/dst? MITCH GATES | Systems Administrator | American Solutions for Business Office: 320-334-3535 | Cell: 320-424-0206 | Email: mgates () americanbus com<mailto:mgates () americanbus com> [cid:image001.png@01D18F13.79A78F70] [cid:image002.png@01D18F13.79A78F70] <http://home.americanbus.com/> [cid:image003.png@01D18F13.79A78F70] <https://www.facebook.com/americanbus> [cid:image004.png@01D18F13.79A78F70] <https://www.linkedin.com/company/american-solutions-for-business> [cid:image005.png@01D18F13.79A78F70] <https://twitter.com/americanbus> [cid:image006.png@01D18F13.79A78F70] <https://www.youtube.com/user/AmericanASB> [cid:image007.png@01D18F13.79A78F70] <http://americanbusblog.com/> From: Y M [mailto:snort () outlook com] Sent: Monday, September 12, 2016 10:17 AM To: Mitch Gates <MGates () americanbus com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] threshold.conf global suppression by IP Did you try the below syntax? suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24 Documentation says you can add an <ip-list> , though it is not clear to me how this list should be formatted. Snort runs fine with the above syntax but I am not sure if the intended behavior works. YM ________________________________ From: Mitch Gates <MGates () americanbus com<mailto:MGates () americanbus com>> Sent: Monday, September 12, 2016 5:46 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] threshold.conf global suppression by IP I am running 2.9.8.3 - here is the syntax I am trying to use, to be specific: suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 It seems that if I have one global suppress the service will start and run - if I try to do multiple lines for multiple IP addresses it won't start, such as: suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 suppress gen_id 0, sig_id 0, track by_src, ip 2.2.2.0/24 Any ideas on how to get this to work with multiple IP addresses? From: Victor Roemer [mailto:viroemer () cisco com] Sent: Friday, September 9, 2016 2:38 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] threshold.conf global suppression by IP IIRC gen_id 0, sig_id 0 was added a few years ago. Make sure your running the latest version (2.9.8.3). On 9/9/16 12:41 PM, Y M wrote: Hmm, the documentation clearly states that gen_id 0, sig_id 0 can be used with suppress. Can you get exactly what causing the service to not run? I just did a quick test and snort seems to run fine. I put this in my threshold.conf suppress gen_id 0, sig_id 0 YM ________________________________ From: Mitch Gates <MGates () americanbus com><mailto:MGates () americanbus com> Sent: Friday, September 9, 2016 7:31 PM To: Y M Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: RE: [Snort-users] threshold.conf global suppression by IP When i try to suppress gen_id 0, sig_id 0 snort service will not start Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: Y M <snort () outlook com><mailto:snort () outlook com> Date: 9/9/16 11:22 AM (GMT-06:00) To: Mitch Gates <MGates () americanbus com><mailto:MGates () americanbus com> Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] threshold.conf global suppression by IP Yes you can set a global filter among all rule types (text, so, etc). To do this, your event_filter should have: gen_id 0, sig_id 0 If you want to address text rules only, then gen_id 1, sig_id 0 and so on. YM Sent from Mobile On Fri, Sep 9, 2016 at 7:16 PM +0300, "Mitch Gates" <MGates () americanbus com<mailto:MGates () americanbus com>> wrote: Is there any way I can suppress events globally from a dst or src ip rather than defining each individual gen id and sig id I want to suppress? ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> Please visit http://blog.snort.org<http://blog.snort.org> to stay current on all the latest Snort news!
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- threshold.conf global suppression by IP Mitch Gates (Sep 09)
- Re: threshold.conf global suppression by IP Y M (Sep 09)
- <Possible follow-ups>
- Re: threshold.conf global suppression by IP Mitch Gates (Sep 09)
- Re: threshold.conf global suppression by IP Y M (Sep 09)
- Re: threshold.conf global suppression by IP Victor Roemer (Sep 09)
- Re: threshold.conf global suppression by IP Mitch Gates (Sep 12)
- Re: threshold.conf global suppression by IP Y M (Sep 12)
- Re: threshold.conf global suppression by IP Mitch Gates (Sep 12)
- Re: threshold.conf global suppression by IP wkitty42 (Sep 12)
- Re: threshold.conf global suppression by IP Y M (Sep 12)
- Re: threshold.conf global suppression by IP James Lay (Sep 12)
- Re: threshold.conf global suppression by IP Y M (Sep 09)