Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Suppression configuration reading IP address backwards?

From: Martin McKeay <mmckeay () yahoo com>
Date: Thu, 8 Jan 2004 07:50:08 -0800 (PST)
Good morning,

At the suggestion of Chris Kelidas, who was trying to help me filter out some
of the excessive alerts I was seeing due the http_inspect, I tried implementing
the event suppression, and having a really hard time of it.  This morning I ran
Snort without using the daemon mode for the first time and really looked at the
output.  It appears to me that the event suppression commands are reading the
IP address in reverse!  Is this just my particular configuration (Snort 2.1.0,
on Solaris 9.0) or is this a problem others have been seeing?

Here is the relevant part of my snort.conf:


#  suppression rules for the mangled IP traffic to the Proxy servers
suppress gen_id 116, sig_id 54, track by_dst, ip 10.4.1.45/32
suppress gen_id 116, sig_id 54, track by_dst, ip 10.4.1.46/32
suppress gen_id 116, sig_id 55, track by_dst, ip 10.4.1.45/32
suppress gen_id 116, sig_id 56, track by_dst, ip 10.4.1.46/32

# Suppression rules for mangeled HTTP traffic from the Proxy Servers
suppress gen_id 119, sig_id 13, track by_src, ip 10.0.0.0/8
suppress gen_id 119, sig_id 13, track by_src, ip 10.0.0.0/8
suppress gen_id 119, sig_id 1, track by_src, ip 10.0.0.0/8
suppress gen_id 119, sig_id 1, track by_src, ip 10.0.0.0/8
 

And here is the relevant portion of the Snort initialization using this config.

+-----------------------[suppression]------------------------------------------
| gen-id=116    sig-id=55   tracking=dst ip=45.1.4.10      
mask=255.255.255.255
| gen-id=116    sig-id=56   tracking=dst ip=46.1.4.10      
mask=255.255.255.255
| gen-id=116    sig-id=54   tracking=dst ip=45.1.4.10      
mask=255.255.255.255
| gen-id=116    sig-id=54   tracking=dst ip=46.1.4.10      
mask=255.255.255.255
| gen-id=119    sig-id=13         tracking=src ip=0.0.0.10       
mask=0.0.0.255
| gen-id=119    sig-id=13         tracking=src ip=0.0.0.10       
mask=0.0.0.255
| gen-id=119    sig-id=1          tracking=src ip=0.0.0.10       
mask=0.0.0.255
| gen-id=119    sig-id=1          tracking=src ip=0.0.0.10       
mask=0.0.0.255


My next experiment will be to try entering the IP's in reverse and seeing if
that fixes the issue.  Much fun to be had by all!

Martin McKeay

=====
Martin McKeay, CISSP, CCNA
http://www.mckeay.net
707-529-7701
marty () mckeay net

__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: