Re: How to Ignore certain alerts

["Daniel Qian" <daniel.qian () supracanada com>]

As far as I can see the main difference of the two snort.conf files is one has directive
'dynamicdetection directory' activated and the other has multiple 'dynamicdetection file' directives to define the 
detection modules one by one.

Here is the output when using the VRT snort.conf which worked with snort-2.8.4.1:

[root@noc snort]# snort -c /etc/snort/snort.conf -i eth1
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 ]
PortVar 'SHELLCODE_PORTS' defined :  [ any ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'AUTH_PORTS' defined :  [ 113 ]
PortVar 'DNS_PORTS' defined :  [ 53 ]
PortVar 'FINGER_PORTS' defined :  [ 79 ]
PortVar 'FTP_PORTS' defined :  [ 21 ]
PortVar 'IMAP_PORTS' defined :  [ 143 ]
PortVar 'IRC_PORTS' defined :  [ 6665:6669 7000 ]
PortVar 'MSSQL_PORTS' defined :  [ 1433 ]
PortVar 'NNTP_PORTS' defined :  [ 119 ]
PortVar 'POP2_PORTS' defined :  [ 109 ]
PortVar 'POP3_PORTS' defined :  [ 110 ]
PortVar 'SUNRPC_PORTS' defined :  [ 111 32770:32779 ]
PortVar 'RLOGIN_PORTS' defined :  [ 513 ]
PortVar 'RSH_PORTS' defined :  [ 514 ]
PortVar 'SMB_PORTS' defined :  [ 139 445 ]
PortVar 'SMTP_PORTS' defined :  [ 25 ]
PortVar 'SNMP_PORTS' defined :  [ 161 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'TELNET_PORTS' defined :  [ 23 ]
PortVar 'MAIL_PORTS' defined :  [ 25 110 143 465 587 691 ]
PortVar 'SSL_PORTS' defined :  [ 25 443 465 587 636 993 995 ]
PortVar 'DCERPC_NCACN_IP_TCP' defined :  [ 139 445 ]
PortVar 'DCERPC_NCADG_IP_UDP' defined :  [ 138 1024:65535 ]
PortVar 'DCERPC_NCACN_IP_LONG' defined :  [ 135 139 445 593 1024:65535 ]
PortVar 'DCERPC_NCACN_UDP_LONG' defined :  [ 135 1024:65535 ]
PortVar 'DCERPC_NCACN_UDP_SHORT' defined :  [ 135 593 1024:65535 ]
PortVar 'DCERPC_NCACN_TCP' defined :  [ 2103 2105 2107 ]
PortVar 'DCERPC_BRIGHTSTORE' defined :  [ 6503:6504 ]
Detection:
   Search-Method = AC-BNFA-Q
ERROR: /etc/snort/snort.conf(273) Config option "detection" can only be configured once.
Fatal Error, Quitting..




  ----- Original Message ----- 
  From: Joel Esler 
  To: Daniel Qian 
  Cc: Brian Fagan ; snort-users () lists sourceforge net 
  Sent: Monday, September 21, 2009 10:39 AM
  Subject: Re: [Snort-users] How to Ignore certain alerts


  You should use the one from the VRT ruleset.  However, your snort.conf should be custom configured for your network, 
so you probably won't be using the stock snort.conf file.


  What is the error message you are receiving?  Can you cut and paste it?


  Joel


  On Mon, Sep 21, 2009 at 10:28 AM, Daniel Qian <daniel.qian () supracanada com> wrote:

    Thanks for the Info Joel. I am a new user and was not aware that snort.org has been re-disigned.

    I have another question regarding the packages for new snort release and VRT rules -
    both of them have a snort.conf file but they are a little different. Which one should I use?
    I have been using the one that comes with the rules package but it wont work with snort release 2.8.5. It comlains 
something about loading duplicate 'detection'.



    ----- Original Message ----- From: "Joel Esler" <jesler () sourcefire com>

    To: "Daniel Qian" <daniel.qian () supracanada com>

    Cc: "Brian Fagan" <bfagan () teleformix com>; <snort-users () lists sourceforge net>
    Sent: Monday, September 21, 2009 10:10 AM

    Subject: Re: [Snort-users] How to Ignore certain alerts


    The link isn't valid at this time, as that functionality has not been moved
    from the old snort.org to the current web design.

    The part you are interested in is the number
    in the URL.

    On Monday, September 21, 2009, Daniel Qian <daniel.qian () supracanada com> wrote:








      Thanks for the reply Brian. The 'snort' reference
      link takes me to the page saying 'The page you are looking for isn’t here'. I
      assume the link is produced by snort output and upgraded snort to the most
      recent release 2.8.5 but the error is still there. Is this normal or a real
      error?


       ----- Original Message -----
       From:
       Brian
       Fagan <javascript:_e({}, 'cvml', 'bfagan () teleformix com');>
       To: Daniel Qian <javascript:_e({}, 'cvml', 'daniel.qian () supracanada com');>
       Cc: snort-users () lists sourceforge net
       ; Joel
       Esler
       Sent: Monday, September 21, 2009 8:41
       AM
       Subject: Re: [Snort-users] How to Ignore
       certain alerts


       In
       BASE if you click on the snort link in the signature it will take you to a
       Snort page that gives you an error, if you look at the end of the link you
       will see something like 1:3254, the first number is the gen_id and the seconed
       number is the sig_id.
      ----- Original Message -----

       From:
       "Daniel Qian" <daniel.qian () supracanada com>
      To:
       "Joel Esler" <jesler () sourcefire com>
      Cc: snort-users () lists sourceforge net
      Sent:
       Saturday, September 19, 2009 9:02:55 PM GMT -06:00 US/Canada
       Central
      Subject: Re: [Snort-users] How to Ignore certain
       alerts




       How do I get the value for gen_id, sig_id from the Base
       output to put in threshold.conf file?

         -----
         Original Message -----
         From:
         Joel Esler
         To:
         Daniel Qian

         Cc:
         snort-users () lists sourceforge net
         Sent:
         Saturday, September 19, 2009 8:34 PM
         Subject:
         Re: [Snort-users] How to Ignore certain alerts

      You should place the suppressions in the threshold.conf file.
         Make sure that the file is also uncommented in the snort.conf file.
         (It's at the very bottom of the stock file)


         J

         On Sat, Sep 19, 2009 at 8:13 PM, Daniel Qian <daniel.qian () supracanada com> wrote:
         Should
           I place the suppression rule in rules/local.rules file? In Base interface,
           where can I find the sid of the alerts that get triggered?

      -----
           Original Message ----- From: "Joel Esler" <jesler () sourcefire com>
      To: "Daniel Qian" <daniel.qian () supracanada com>
      Cc: <snort-users () lists sourceforge net>
      Sent: Friday,
           September 18, 2009 6:43 PM
      Subject: Re: [Snort-users] How to Ignore
           certain alerts





           Check
             out "suppression" in the








  -- 
  Joel Esler | 302-223-5974 | Gtalk: jesler () sourcefire com

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users