Snort mailing list archives
Re: alert suppression
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Wed, 6 May 2009 14:44:02 -0600
Hi, Yes I am running some of the emerging-threats rules, and grepping for "tag:" shows quite a few rules that use it. Is there no way to determine which rule is generating the "tag: tagged packet" alert? What is it for exactly? -- Shawn ________________________________ From: Joel Esler [mailto:jesler () sourcefire com] Sent: May 06, 2009 1:34 PM To: Jefferson, Shawn Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] alert suppression You can grep, for the word "tag". Like I said, there is only one VRT rule that has it turned on, otherwise the alerts are probably coming from pseudo packets out of some preprocessor. If you running a ruleset from other rule repositories, there are lots of rules with "tag" in the Emerging-Threats rules. J On Wed, May 6, 2009 at 4:28 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries com>> wrote: Hi, 1. I'm not sure. I didn't even know that this alert could be triggered by a rule instead of the pre-processor. How would I figure out which rule(s) may be triggering the taq: tagged packet alert? What's the purpose of this alert? 1. I'll take another look at the readme for the dcerpc2 preprocessor. Maybe I can set some alert suppression for these in the threshold.conf file instead... Thanks for your help, Shawn ________________________________ From: Joel Esler [mailto:jesler () sourcefire com<mailto:jesler () sourcefire com>] Sent: May 05, 2009 4:39 PM To: Jefferson, Shawn Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] alert suppression What alert is generating the tag alerts? Is it a rule, or is it the stream preprocessor? (grep your rules files for the word "Tag". I think there is only 1 rule in the VRT ruleset with tag turned on by default. As for the dcerpc2 preprocessor, take a look at the readme. It has an "events none" configuration option for your snort.conf. J On Tue, May 5, 2009 at 6:25 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries com>> wrote: Hi, I want to suppress some alerts I've been getting, specifically the tag: tagged packet. I've tried putting "suppress gen_id 2, sig_id 1" in the threshold.conf file, but this doesn't seem to be working. Is there a better way to suppress this alert? Especially if there is a method that is better performance-wise. I've looked around in the documentation and didn't see anything specific to the tag: tagged packet alert. Also, the new dcerpc2 preprocesser is pretty noisy in my environment, creating quite a few alerts each day. Can anyone share any tuning advice for this? Thanks, Shawn ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- joel esler | Sourcefire | gtalk: jesler () sourcefire com<mailto:jesler () sourcefire com> | 302-223-5974 | http://twitter.com/joelesler -- joel esler | Sourcefire | gtalk: jesler () sourcefire com<mailto:jesler () sourcefire com> | 302-223-5974 | http://twitter.com/joelesler
------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert suppression Jefferson, Shawn (May 05)
- Re: alert suppression Joel Esler (May 05)
- Re: alert suppression Jefferson, Shawn (May 06)
- Re: alert suppression Joel Esler (May 06)
- Re: alert suppression Jefferson, Shawn (May 06)
- Re: alert suppression Greg Bowser (May 06)
- Re: alert suppression Joel Esler (May 06)
- Re: alert suppression Jefferson, Shawn (May 06)
- Re: alert suppression Jefferson, Shawn (May 06)
- Re: alert suppression CunningPike (May 06)
- Re: alert suppression Jefferson, Shawn (May 06)
- Re: alert suppression Joel Esler (May 05)
- <Possible follow-ups>
- Re: alert suppression Pedro Marinho (May 07)