Snort mailing list archives
Suppressing alerts doesn´t work
From: Jiří Červenka <cervenka () sps-pi cz>
Date: Fri, 04 Mar 2005 12:14:00 +0100
Hello,I´m trying tu suppress a few alerts. I have inserted these values into threshold.conf a include it in snort conf:
suppress gen_id 122, sig_id 27 suppress gen_id 122, sig_id 3: suppress gen_id 119, sig_id 7 Then I have restarted snort. Here is the daemeon.log: Mar 4 09:15:27 gate snort: Initializing daemon modeMar 4 09:15:27 gate snort: PID path stat checked out ok, PID path set to /var/run/ Mar 4 09:15:27 gate snort: Writing PID "759" to file "/var/run//snort_eth1.pid"
Mar 4 09:15:27 gate snort: Parsing Rules file /etc/snort/snort.conf Mar 4 09:15:27 gate snort: ,-----------[Flow Config]---------------------- Mar 4 09:15:27 gate snort: | Stats Interval: 0 Mar 4 09:15:27 gate snort: | Hash Method: 2 Mar 4 09:15:27 gate snort: | Memcap: 10485760 Mar 4 09:15:27 gate snort: | Rows : 4099 Mar 4 09:15:27 gate snort: | Overhead Bytes: 16400(%0.16) Mar 4 09:15:27 gate snort: `---------------------------------------------- Mar 4 09:15:27 gate snort: HttpInspect Config: Mar 4 09:15:27 gate snort: GLOBAL CONFIG Mar 4 09:15:27 gate snort: Max Pipeline Requests: 0 Mar 4 09:15:27 gate snort: Inspection Type: STATELESS Mar 4 09:15:27 gate snort: Detect Proxy Usage: NOMar 4 09:15:27 gate snort: IIS Unicode Map Filename: /etc/snort/unicode.map
Mar 4 09:15:27 gate snort: IIS Unicode Map Codepage: 1252 Mar 4 09:15:27 gate snort: DEFAULT SERVER CONFIG: Mar 4 09:15:27 gate snort: Ports: 80 8080 8180 Mar 4 09:15:27 gate snort: Flow Depth: 300 Mar 4 09:15:27 gate snort: Max Chunk Length: 500000 Mar 4 09:15:27 gate snort: Inspect Pipeline Requests: YES Mar 4 09:15:27 gate snort: URI Discovery Strict Mode: NO Mar 4 09:15:27 gate snort: Allow Proxy Usage: NO Mar 4 09:15:27 gate snort: Disable Alerting: NO Mar 4 09:15:27 gate snort: Oversize Dir Length: 500 Mar 4 09:15:27 gate snort: Only inspect URI: NO Mar 4 09:15:27 gate snort: Ascii: YES alert: NO Mar 4 09:15:27 gate snort: Double Decoding: YES alert: YES Mar 4 09:15:27 gate snort: %U Encoding: YES alert: YES Mar 4 09:15:27 gate snort: Bare Byte: YES alert: YES Mar 4 09:15:27 gate snort: Base36: OFF Mar 4 09:15:27 gate snort: UTF 8: OFF Mar 4 09:15:27 gate snort: IIS Unicode: YES alert: YES Mar 4 09:15:27 gate snort: Multiple Slash: YES alert: NO Mar 4 09:15:27 gate snort: IIS Backslash: YES alert: NO Mar 4 09:15:27 gate snort: Directory Traversal: YES alert: NO Mar 4 09:15:27 gate snort: Web Root Traversal: YES alert: YES Mar 4 09:15:27 gate snort: Apache WhiteSpace: YES alert: NO Mar 4 09:15:27 gate snort: IIS Delimiter: YES alert: NOMar 4 09:15:27 gate snort: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Mar 4 09:15:27 gate snort: Non-RFC Compliant Characters: NONE Mar 4 09:15:27 gate snort: rpc_decode arguments: Mar 4 09:15:27 gate snort: Ports to decode RPC on: 111 32771 Mar 4 09:15:27 gate snort: alert_fragments: INACTIVE Mar 4 09:15:27 gate snort: alert_large_fragments: ACTIVE Mar 4 09:15:27 gate snort: alert_incomplete: ACTIVE Mar 4 09:15:27 gate snort: alert_multiple_requests: ACTIVE Mar 4 09:15:27 gate snort: telnet_decode arguments: Mar 4 09:15:27 gate snort: Ports to decode telnet on: 21 23 25 119 Mar 4 09:15:27 gate snort: Portscan Detection Config: Mar 4 09:15:27 gate snort: Detect Protocols: TCP UDP ICMP IPMar 4 09:15:27 gate snort: Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Mar 4 09:15:27 gate snort: Sensitivity Level: Low Mar 4 09:15:27 gate snort: Memcap (in bytes): 10000000 Mar 4 09:15:27 gate snort: Number of Nodes: 36900 Mar 4 09:15:27 gate snort:Mar 4 09:15:28 gate snort: Warning: flowbits key 'tls1.client_hello.request' is checked but not ever set. Mar 4 09:15:28 gate snort: Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked. Mar 4 09:15:28 gate snort: Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Mar 4 09:15:28 gate snort:Mar 4 09:15:28 gate snort: +-----------------------[thresholding-config]----------------------------------
Mar 4 09:15:28 gate snort: | memory-cap : 1048576 bytesMar 4 09:15:28 gate snort: +-----------------------[thresholding-global]----------------------------------
Mar 4 09:15:28 gate snort: | noneMar 4 09:15:28 gate snort: +-----------------------[thresholding-local]----------------------------------- Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60 Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60 Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60 Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60 Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60 Mar 4 09:15:28 gate snort: | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 Mar 4 09:15:28 gate snort: +-----------------------[suppression]------------------------------------------ Mar 4 09:15:28 gate snort: | gen-id=119 sig-id=7 tracking=dstip=0.0.0.0 mask=0.0.0.0 Mar 4 09:15:28 gate snort: | gen-id=122 sig-id=3 tracking=dstip=0.0.0.0 mask=0.0.0.0 Mar 4 09:15:28 gate snort: | gen-id=122 sig-id=27 tracking=dstip=0.0.0.0 mask=0.0.0.0 Mar 4 09:15:28 gate snort: +------------------------------------------------------------------------------ Mar 4 09:15:28 gate snort: Rule application order: ->pass->activation->dynamic->alert->log
Mar 4 09:15:28 gate snort: Log directory = /var/log/snortMar 4 09:15:28 gate snort: Snort initialization completed successfully (pid=759)
Mar 4 09:15:31 gate snort: Final Flow Statistics Mar 4 09:15:31 gate snort: Snort exiting But the suppressed gen_ids and sig_ids are still caught by snort. What is wrong ? Thanks for any help. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Suppressing alerts doesn´t work Jiří Červenka (Mar 04)