Snort mailing list archives
Re: threshold.conf global suppression by IP
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 12 Sep 2016 12:15:26 -0600
You get one or the other, not both: suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24 "suppress gen_id 0, sig_id 0" has been declared already, so adding a second with track by_dst is considered the same suppression. James On 2016-09-12 12:07, Y M wrote:
The service won't start because Snort fatals with error (or something close): Duplicated type definition '141 -> 168 at offset 12. ERROR: threshold.conf(76) suppress could not be created. Fatal Error, Quitting.. Perhaps whitelisting through reputation preprocessor may be a better alternative? Check the preprocessor and see if it fits your use case. YM ------------------------- FROM: Mitch Gates <MGates () americanbus com> SENT: Monday, September 12, 2016 6:25 PM TO: Y M CC: snort-users () lists sourceforge net SUBJECT: RE: [Snort-users] threshold.conf global suppression by IP Thanks YM – the service did start with that syntax, so I’ll have to see if it behaves as intended. Still one issue though.. It appears that with a global suppress I have to choose either src or dst, I can’t do both? IE.. I can do either: suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24 <OR> suppress gen_id 0, sig_id 0, track by_dst, ip 1.1.1.0/24 2.2.2.0/24 And the service will start fine.. If I try: suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24 suppress gen_id 0, sig_id 0, track by_dst, ip 1.1.1.0/24 2.2.2.0/24 The service will not start. So does anyone know how to get global suppress on both src/dst? MITCH GATES | Systems Administrator | American Solutions for Business Office: 320-334-3535 | Cell: 320-424-0206 | Email: mgates () americanbus com [1] [2] [3] [4] [5] [6] FROM: Y M [mailto:snort () outlook com] SENT: Monday, September 12, 2016 10:17 AM TO: Mitch Gates <MGates () americanbus com> CC: snort-users () lists sourceforge net SUBJECT: Re: [Snort-users] threshold.conf global suppression by IP Did you try the below syntax? suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 2.2.2.0/24 Documentation says you can add an <ip-list> , though it is not clear to me how this list should be formatted. Snort runs fine with the above syntax but I am not sure if the intended behavior works. YM ------------------------- FROM: Mitch Gates <MGates () americanbus com> SENT: Monday, September 12, 2016 5:46 PM TO: snort-users () lists sourceforge net SUBJECT: Re: [Snort-users] threshold.conf global suppression by IP I am running 2.9.8.3 – here is the syntax I am trying to use, to be specific: suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 It seems that if I have one global suppress the service will start and run – if I try to do multiple lines for multiple IP addresses it won’t start, such as: suppress gen_id 0, sig_id 0, track by_src, ip 1.1.1.0/24 suppress gen_id 0, sig_id 0, track by_src, ip 2.2.2.0/24 Any ideas on how to get this to work with multiple IP addresses? FROM: Victor Roemer [mailto:viroemer () cisco com] SENT: Friday, September 9, 2016 2:38 PM TO: snort-users () lists sourceforge net SUBJECT: Re: [Snort-users] threshold.conf global suppression by IP IIRC gen_id 0, sig_id 0 was added a few years ago. Make sure your running the latest version (2.9.8.3). On 9/9/16 12:41 PM, Y M wrote:Hmm, the documentation clearly states that gen_id 0, sig_id 0 can be used with suppress. Can you get exactly what causing the service to not run? I just did a quick test and snort seems to run fine. I put this in my threshold.conf suppress gen_id 0, sig_id 0 YM ------------------------- FROM: Mitch Gates <MGates () americanbus com> SENT: Friday, September 9, 2016 7:31 PM TO: Y M CC: snort-users () lists sourceforge net SUBJECT: RE: [Snort-users] threshold.conf global suppression by IP When i try to suppress gen_id 0, sig_id 0 snort service will not start Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: Y M <snort () outlook com> Date: 9/9/16 11:22 AM (GMT-06:00) To: Mitch Gates <MGates () americanbus com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] threshold.conf global suppression by IP Yes you can set a global filter among all rule types (text, so, etc). To do this, your event_filter should have: gen_id 0, sig_id 0 If you want to address text rules only, then gen_id 1, sig_id 0 and so on. YM Sent from Mobile On Fri, Sep 9, 2016 at 7:16 PM +0300, "Mitch Gates" <MGates () americanbus com> wrote: Is there any way I can suppress events globally from a dst or src ip rather than defining each individual gen id and sig id I want to suppress?------------------------------------------------------------------------------_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!Links: ------ [1] http://home.americanbus.com/ [2] https://www.facebook.com/americanbus [3] https://www.linkedin.com/company/american-solutions-for-business [4] https://twitter.com/americanbus [5] https://www.youtube.com/user/AmericanASB [6] http://americanbusblog.com/ ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- threshold.conf global suppression by IP Mitch Gates (Sep 09)
- Re: threshold.conf global suppression by IP Y M (Sep 09)
- <Possible follow-ups>
- Re: threshold.conf global suppression by IP Mitch Gates (Sep 09)
- Re: threshold.conf global suppression by IP Y M (Sep 09)
- Re: threshold.conf global suppression by IP Victor Roemer (Sep 09)
- Re: threshold.conf global suppression by IP Mitch Gates (Sep 12)
- Re: threshold.conf global suppression by IP Y M (Sep 12)
- Re: threshold.conf global suppression by IP Mitch Gates (Sep 12)
- Re: threshold.conf global suppression by IP wkitty42 (Sep 12)
- Re: threshold.conf global suppression by IP Y M (Sep 12)
- Re: threshold.conf global suppression by IP James Lay (Sep 12)
- Re: threshold.conf global suppression by IP Y M (Sep 09)