Snort mailing list archives

Re: threshold.conf global suppression by IP

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 12 Sep 2016 12:15:26 -0600

You get one or the other, not both:

suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24

"suppress gen_id 0, sig_id 0" has been declared already, so adding a 
second with track by_dst is considered the same suppression.

James

On 2016-09-12 12:07, Y M wrote:

The service won't start because Snort fatals with error (or something
close):

Duplicated type definition '141 -> 168 at offset 12.
ERROR: threshold.conf(76) suppress could not be created.
Fatal Error, Quitting..
 Perhaps whitelisting through reputation preprocessor may be a better
alternative? Check the preprocessor and see if it fits your use case.


 YM

-------------------------

FROM: Mitch Gates <MGates () americanbus com>
SENT: Monday, September 12, 2016 6:25 PM
TO: Y M
CC: snort-users () lists sourceforge net
SUBJECT: RE: [Snort-users] threshold.conf global suppression by IP

 Thanks YM – the service did start with that syntax, so I’ll have
to see if it behaves as intended.  Still one issue though.. It appears
that with a global suppress I have to choose either src or dst, I
can’t do both?  IE.. I can do either:

suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24

 <OR>

suppress gen_id 0, sig_id 0, track by_dst, ip 1.1.1.0/24 2.2.2.0/24

And the service will start fine.. If I try:

suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24

suppress gen_id 0, sig_id 0, track by_dst, ip 1.1.1.0/24 2.2.2.0/24

The service will not start.  So does anyone know how to get global
suppress on both src/dst?

 MITCH GATES | Systems Administrator | American Solutions for Business

Office: 320-334-3535 | Cell: 320-424-0206 | Email:
mgates () americanbus com

    [1]    [2]    [3]    [4]    [5]    [6]

 FROM: Y M [mailto:snort () outlook com]
SENT: Monday, September 12, 2016 10:17 AM
TO: Mitch Gates <MGates () americanbus com>
CC: snort-users () lists sourceforge net
SUBJECT: Re: [Snort-users] threshold.conf global suppression by IP

Did you try the below syntax?

suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24

Documentation says you can add an <ip-list> , though it is not clear
to me how this list should be formatted. Snort runs fine with the
above syntax but I am not sure if the intended behavior works.

YM

-------------------------

 FROM: Mitch Gates <MGates () americanbus com>
SENT: Monday, September 12, 2016 5:46 PM
TO: snort-users () lists sourceforge net
SUBJECT: Re: [Snort-users] threshold.conf global suppression by IP

I am running 2.9.8.3 – here is the syntax I am trying to use, to be
specific:

suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24

It seems that if I have one global suppress the service will start and
run – if I try to do multiple lines for multiple IP addresses it
won’t start, such as:

suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24

suppress gen_id 0, sig_id 0, track by_src, ip 2.2.2.0/24

Any ideas on how to get this to work with multiple IP addresses?

FROM: Victor Roemer [mailto:viroemer () cisco com]
SENT: Friday, September 9, 2016 2:38 PM
TO: snort-users () lists sourceforge net
SUBJECT: Re: [Snort-users] threshold.conf global suppression by IP

IIRC gen_id 0, sig_id 0 was added a few years ago. Make sure your
running the latest version (2.9.8.3).

On 9/9/16 12:41 PM, Y M wrote:

Hmm, the documentation clearly states that gen_id 0, sig_id 0 can be
used with suppress. Can you get exactly what causing the service to
not run?

I just did a quick test and snort seems to run fine. I put this in
my threshold.conf

suppress gen_id 0, sig_id 0

YM

-------------------------

FROM: Mitch Gates <MGates () americanbus com>
SENT: Friday, September 9, 2016 7:31 PM
TO: Y M
CC: snort-users () lists sourceforge net
SUBJECT: RE: [Snort-users] threshold.conf global suppression by IP

When i try to suppress gen_id 0, sig_id 0 snort service will not
start

Sent from my Verizon, Samsung Galaxy smartphone

-------- Original message --------

From: Y M <snort () outlook com>

Date: 9/9/16 11:22 AM (GMT-06:00)

To: Mitch Gates <MGates () americanbus com>

Cc: snort-users () lists sourceforge net

Subject: Re: [Snort-users] threshold.conf global suppression by IP

Yes you can set a global filter among all rule types (text, so,
etc). To do this, your event_filter should have:

gen_id 0, sig_id 0

If you want to address text rules only, then

gen_id 1, sig_id 0

and so on.

YM

Sent from Mobile

On Fri, Sep 9, 2016 at 7:16 PM +0300, "Mitch Gates"
<MGates () americanbus com> wrote:

Is there any way I can suppress events globally from a dst or src ip
rather than defining each individual gen id and sig id I want to
suppress?

------------------------------------------------------------------------------


_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




Links:
------
[1] http://home.americanbus.com/
[2] https://www.facebook.com/americanbus
[3] https://www.linkedin.com/company/american-solutions-for-business
[4] https://twitter.com/americanbus
[5] https://www.youtube.com/user/AmericanASB
[6] http://americanbusblog.com/

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and 
traffic
patterns at an interface-level. Reveals which users, apps, and 
protocols are
consuming the most bandwidth. Provides multi-vendor support for 
NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

threshold.conf global suppression by IP Mitch Gates (Sep 09)
- Re: threshold.conf global suppression by IP Y M (Sep 09)
- <Possible follow-ups>
- Re: threshold.conf global suppression by IP Mitch Gates (Sep 09)
  - Re: threshold.conf global suppression by IP Y M (Sep 09)
    - Re: threshold.conf global suppression by IP Victor Roemer (Sep 09)
    - Re: threshold.conf global suppression by IP Mitch Gates (Sep 12)
    - Re: threshold.conf global suppression by IP Y M (Sep 12)
    - Re: threshold.conf global suppression by IP Mitch Gates (Sep 12)
    - Re: threshold.conf global suppression by IP wkitty42 (Sep 12)
    - Re: threshold.conf global suppression by IP Y M (Sep 12)
    - Re: threshold.conf global suppression by IP James Lay (Sep 12)