Snort mailing list archives
Re: How to Ignore certain alerts
From: "Daniel Qian" <daniel.qian () supracanada com>
Date: Mon, 21 Sep 2009 11:07:04 -0400
As far as I can see the main difference of the two snort.conf files is one has directive 'dynamicdetection directory' activated and the other has multiple 'dynamicdetection file' directives to define the detection modules one by one. Here is the output when using the VRT snort.conf which worked with snort-2.8.4.1: [root@noc snort]# snort -c /etc/snort/snort.conf -i eth1 Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" PortVar 'HTTP_PORTS' defined : [ 80 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 ] PortVar 'SHELLCODE_PORTS' defined : [ any ] PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ] PortVar 'AUTH_PORTS' defined : [ 113 ] PortVar 'DNS_PORTS' defined : [ 53 ] PortVar 'FINGER_PORTS' defined : [ 79 ] PortVar 'FTP_PORTS' defined : [ 21 ] PortVar 'IMAP_PORTS' defined : [ 143 ] PortVar 'IRC_PORTS' defined : [ 6665:6669 7000 ] PortVar 'MSSQL_PORTS' defined : [ 1433 ] PortVar 'NNTP_PORTS' defined : [ 119 ] PortVar 'POP2_PORTS' defined : [ 109 ] PortVar 'POP3_PORTS' defined : [ 110 ] PortVar 'SUNRPC_PORTS' defined : [ 111 32770:32779 ] PortVar 'RLOGIN_PORTS' defined : [ 513 ] PortVar 'RSH_PORTS' defined : [ 514 ] PortVar 'SMB_PORTS' defined : [ 139 445 ] PortVar 'SMTP_PORTS' defined : [ 25 ] PortVar 'SNMP_PORTS' defined : [ 161 ] PortVar 'SSH_PORTS' defined : [ 22 ] PortVar 'TELNET_PORTS' defined : [ 23 ] PortVar 'MAIL_PORTS' defined : [ 25 110 143 465 587 691 ] PortVar 'SSL_PORTS' defined : [ 25 443 465 587 636 993 995 ] PortVar 'DCERPC_NCACN_IP_TCP' defined : [ 139 445 ] PortVar 'DCERPC_NCADG_IP_UDP' defined : [ 138 1024:65535 ] PortVar 'DCERPC_NCACN_IP_LONG' defined : [ 135 139 445 593 1024:65535 ] PortVar 'DCERPC_NCACN_UDP_LONG' defined : [ 135 1024:65535 ] PortVar 'DCERPC_NCACN_UDP_SHORT' defined : [ 135 593 1024:65535 ] PortVar 'DCERPC_NCACN_TCP' defined : [ 2103 2105 2107 ] PortVar 'DCERPC_BRIGHTSTORE' defined : [ 6503:6504 ] Detection: Search-Method = AC-BNFA-Q ERROR: /etc/snort/snort.conf(273) Config option "detection" can only be configured once. Fatal Error, Quitting.. ----- Original Message ----- From: Joel Esler To: Daniel Qian Cc: Brian Fagan ; snort-users () lists sourceforge net Sent: Monday, September 21, 2009 10:39 AM Subject: Re: [Snort-users] How to Ignore certain alerts You should use the one from the VRT ruleset. However, your snort.conf should be custom configured for your network, so you probably won't be using the stock snort.conf file. What is the error message you are receiving? Can you cut and paste it? Joel On Mon, Sep 21, 2009 at 10:28 AM, Daniel Qian <daniel.qian () supracanada com> wrote: Thanks for the Info Joel. I am a new user and was not aware that snort.org has been re-disigned. I have another question regarding the packages for new snort release and VRT rules - both of them have a snort.conf file but they are a little different. Which one should I use? I have been using the one that comes with the rules package but it wont work with snort release 2.8.5. It comlains something about loading duplicate 'detection'. ----- Original Message ----- From: "Joel Esler" <jesler () sourcefire com> To: "Daniel Qian" <daniel.qian () supracanada com> Cc: "Brian Fagan" <bfagan () teleformix com>; <snort-users () lists sourceforge net> Sent: Monday, September 21, 2009 10:10 AM Subject: Re: [Snort-users] How to Ignore certain alerts The link isn't valid at this time, as that functionality has not been moved from the old snort.org to the current web design. The part you are interested in is the number in the URL. On Monday, September 21, 2009, Daniel Qian <daniel.qian () supracanada com> wrote: Thanks for the reply Brian. The 'snort' reference link takes me to the page saying 'The page you are looking for isn’t here'. I assume the link is produced by snort output and upgraded snort to the most recent release 2.8.5 but the error is still there. Is this normal or a real error? ----- Original Message ----- From: Brian Fagan <javascript:_e({}, 'cvml', 'bfagan () teleformix com');> To: Daniel Qian <javascript:_e({}, 'cvml', 'daniel.qian () supracanada com');> Cc: snort-users () lists sourceforge net ; Joel Esler Sent: Monday, September 21, 2009 8:41 AM Subject: Re: [Snort-users] How to Ignore certain alerts In BASE if you click on the snort link in the signature it will take you to a Snort page that gives you an error, if you look at the end of the link you will see something like 1:3254, the first number is the gen_id and the seconed number is the sig_id. ----- Original Message ----- From: "Daniel Qian" <daniel.qian () supracanada com> To: "Joel Esler" <jesler () sourcefire com> Cc: snort-users () lists sourceforge net Sent: Saturday, September 19, 2009 9:02:55 PM GMT -06:00 US/Canada Central Subject: Re: [Snort-users] How to Ignore certain alerts How do I get the value for gen_id, sig_id from the Base output to put in threshold.conf file? ----- Original Message ----- From: Joel Esler To: Daniel Qian Cc: snort-users () lists sourceforge net Sent: Saturday, September 19, 2009 8:34 PM Subject: Re: [Snort-users] How to Ignore certain alerts You should place the suppressions in the threshold.conf file. Make sure that the file is also uncommented in the snort.conf file. (It's at the very bottom of the stock file) J On Sat, Sep 19, 2009 at 8:13 PM, Daniel Qian <daniel.qian () supracanada com> wrote: Should I place the suppression rule in rules/local.rules file? In Base interface, where can I find the sid of the alerts that get triggered? ----- Original Message ----- From: "Joel Esler" <jesler () sourcefire com> To: "Daniel Qian" <daniel.qian () supracanada com> Cc: <snort-users () lists sourceforge net> Sent: Friday, September 18, 2009 6:43 PM Subject: Re: [Snort-users] How to Ignore certain alerts Check out "suppression" in the -- Joel Esler | 302-223-5974 | Gtalk: jesler () sourcefire com
------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: How to Ignore certain alerts, (continued)
- Re: How to Ignore certain alerts Joel Esler (Sep 19)
- Re: How to Ignore certain alerts Daniel Qian (Sep 19)
- Re: How to Ignore certain alerts Joel Esler (Sep 19)
- Re: How to Ignore certain alerts Daniel Qian (Sep 19)
- Re: How to Ignore certain alerts Joel Esler (Sep 20)
- Re: How to Ignore certain alerts Brian Fagan (Sep 21)
- Re: How to Ignore certain alerts Daniel Qian (Sep 21)
- Re: How to Ignore certain alerts Joel Esler (Sep 21)
- Re: How to Ignore certain alerts Daniel Qian (Sep 21)
- Re: How to Ignore certain alerts Joel Esler (Sep 21)
- Re: How to Ignore certain alerts Daniel Qian (Sep 21)
- Re: How to Ignore certain alerts Nigel Houghton (Sep 21)
- Re: How to Ignore certain alerts Daniel Qian (Sep 21)