Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Suppressing alerts doesn´t work

From: Jiří Červenka <cervenka () sps-pi cz>
Date: Fri, 04 Mar 2005 12:14:00 +0100
Hello,
I´m trying tu suppress a few alerts. I have inserted these values into threshold.conf a include it in snort conf: 

suppress gen_id 122, sig_id 27
suppress gen_id 122, sig_id 3:
suppress gen_id 119, sig_id 7

Then I have restarted snort. Here is the daemeon.log:

Mar  4 09:15:27 gate snort: Initializing daemon mode
Mar 4 09:15:27 gate snort: PID path stat checked out ok, PID path set to /var/run/ Mar 4 09:15:27 gate snort: Writing PID "759" to file "/var/run//snort_eth1.pid" 
Mar  4 09:15:27 gate snort: Parsing Rules file /etc/snort/snort.conf
Mar  4 09:15:27 gate snort: ,-----------[Flow Config]----------------------
Mar  4 09:15:27 gate snort: | Stats Interval:  0
Mar  4 09:15:27 gate snort: | Hash Method:     2
Mar  4 09:15:27 gate snort: | Memcap:          10485760
Mar  4 09:15:27 gate snort: | Rows  :          4099
Mar  4 09:15:27 gate snort: | Overhead Bytes:  16400(%0.16)
Mar  4 09:15:27 gate snort: `----------------------------------------------
Mar  4 09:15:27 gate snort: HttpInspect Config:
Mar  4 09:15:27 gate snort:     GLOBAL CONFIG
Mar  4 09:15:27 gate snort:       Max Pipeline Requests:    0
Mar  4 09:15:27 gate snort:       Inspection Type:          STATELESS
Mar  4 09:15:27 gate snort:       Detect Proxy Usage:       NO
Mar 4 09:15:27 gate snort: IIS Unicode Map Filename: /etc/snort/unicode.map 
Mar  4 09:15:27 gate snort:       IIS Unicode Map Codepage: 1252
Mar  4 09:15:27 gate snort:     DEFAULT SERVER CONFIG:
Mar  4 09:15:27 gate snort:       Ports: 80 8080 8180
Mar  4 09:15:27 gate snort:       Flow Depth: 300
Mar  4 09:15:27 gate snort:       Max Chunk Length: 500000
Mar  4 09:15:27 gate snort:       Inspect Pipeline Requests: YES
Mar  4 09:15:27 gate snort:       URI Discovery Strict Mode: NO
Mar  4 09:15:27 gate snort:       Allow Proxy Usage: NO
Mar  4 09:15:27 gate snort:       Disable Alerting: NO
Mar  4 09:15:27 gate snort:       Oversize Dir Length: 500
Mar  4 09:15:27 gate snort:       Only inspect URI: NO
Mar  4 09:15:27 gate snort:       Ascii: YES alert: NO
Mar  4 09:15:27 gate snort:       Double Decoding: YES alert: YES
Mar  4 09:15:27 gate snort:       %U Encoding: YES alert: YES
Mar  4 09:15:27 gate snort:       Bare Byte: YES alert: YES
Mar  4 09:15:27 gate snort:       Base36: OFF
Mar  4 09:15:27 gate snort:       UTF 8: OFF
Mar  4 09:15:27 gate snort:       IIS Unicode: YES alert: YES
Mar  4 09:15:27 gate snort:       Multiple Slash: YES alert: NO
Mar  4 09:15:27 gate snort:       IIS Backslash: YES alert: NO
Mar  4 09:15:27 gate snort:       Directory Traversal: YES alert: NO
Mar  4 09:15:27 gate snort:       Web Root Traversal: YES alert: YES
Mar  4 09:15:27 gate snort:       Apache WhiteSpace: YES alert: NO
Mar  4 09:15:27 gate snort:       IIS Delimiter: YES alert: NO
Mar 4 09:15:27 gate snort: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG 
Mar  4 09:15:27 gate snort:       Non-RFC Compliant Characters: NONE
Mar  4 09:15:27 gate snort: rpc_decode arguments:
Mar  4 09:15:27 gate snort:     Ports to decode RPC on: 111 32771
Mar  4 09:15:27 gate snort:     alert_fragments: INACTIVE
Mar  4 09:15:27 gate snort:     alert_large_fragments: ACTIVE
Mar  4 09:15:27 gate snort:     alert_incomplete: ACTIVE
Mar  4 09:15:27 gate snort:     alert_multiple_requests: ACTIVE
Mar  4 09:15:27 gate snort: telnet_decode arguments:
Mar  4 09:15:27 gate snort:     Ports to decode telnet on: 21 23 25 119
Mar  4 09:15:27 gate snort: Portscan Detection Config:
Mar  4 09:15:27 gate snort:     Detect Protocols:  TCP UDP ICMP IP
Mar 4 09:15:27 gate snort: Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan 
Mar  4 09:15:27 gate snort:     Sensitivity Level: Low
Mar  4 09:15:27 gate snort:     Memcap (in bytes): 10000000
Mar  4 09:15:27 gate snort:     Number of Nodes:   36900
Mar  4 09:15:27 gate snort:
Mar 4 09:15:28 gate snort: Warning: flowbits key 'tls1.client_hello.request' is checked but not ever set. Mar 4 09:15:28 gate snort: Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked. Mar 4 09:15:28 gate snort: Warning: flowbits key 'realplayer.playlist' is checked but not ever set. 
Mar  4 09:15:28 gate snort:
Mar 4 09:15:28 gate snort: +-----------------------[thresholding-config]---------------------------------- 
Mar  4 09:15:28 gate snort: | memory-cap : 1048576 bytes
Mar 4 09:15:28 gate snort: +-----------------------[thresholding-global]---------------------------------- 
Mar  4 09:15:28 gate snort: | none
Mar 4 09:15:28 gate snort: +-----------------------[thresholding-local]----------------------------------- Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60 Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60 Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60 Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60 Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60 Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 Mar 4 09:15:28 gate snort: +-----------------------[suppression]------------------------------------------ Mar 4 09:15:28 gate snort: | gen-id=119 sig-id=7 tracking=dstip=0.0.0.0 mask=0.0.0.0 Mar 4 09:15:28 gate snort: | gen-id=122 sig-id=3 tracking=dstip=0.0.0.0 mask=0.0.0.0 Mar 4 09:15:28 gate snort: | gen-id=122 sig-id=27 tracking=dstip=0.0.0.0 mask=0.0.0.0 Mar 4 09:15:28 gate snort: +------------------------------------------------------------------------------ Mar 4 09:15:28 gate snort: Rule application order: ->pass->activation->dynamic->alert->log 
Mar  4 09:15:28 gate snort: Log directory = /var/log/snort
Mar 4 09:15:28 gate snort: Snort initialization completed successfully (pid=759) 
Mar  4 09:15:31 gate snort: Final Flow Statistics
Mar  4 09:15:31 gate snort: Snort exiting

But the suppressed gen_ids and sig_ids are still caught by snort.
What is wrong ?

Thanks for any help.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: