Re: Snort Network Suppression

["Jamie Riden" <jamie.riden () gmail com>]

On 14/12/2007, Jonathan Askew JBASKEW <JBASKEW () uncg edu> wrote:
> I am new to IDS and have just set up snort on a ubuntu host. It has worked
> well except for the fact that I am getting some false positivies from local
> traffic on the network. I have been trying to find the solution on snort's
> forums but the site seems to be going up and down randomly. I want to set a
> rule in order to suppress/ignore local network traffic for 192.168.1.0/24.
> I know this can be done in the /etc/threshold.conf file but have not been
> able to do so successfully. Can someone be so kind as to post their
> threshold.conf file or guide me through the process?

Hi there,

I haven't tried the threshold stuff myself - but can you post your
threshold.conf ? The doco suggests something like this:

suppress gen_id 1, sig_id 1852, track by_dst, ip 192.168.1.0/24

for each sid (1852 in this case) you want to suppress. I would track
by destination, because often the alerts indicating outgoing attacks
are the interesting ones. (The internet attacking you is not news, you
attacking the internet definitely is news.)

You might do better with this query on snort-users:
https://lists.sourceforge.net/lists/listinfo/snort-users

cheers,
 Jamie
-- 
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------