Snort mailing list archives
Re: New Suppress
From: rcombs <rcombs () sourcefire com>
Date: Thu, 24 Sep 2009 11:34:14 -0400
Wally, comments inline below. Russ On Thu, Sep 24, 2009 at 9:53 AM, JJ Cummings <cummingsj () gmail com> wrote:
BPF would also be a good option... Sent from the iRoad On Sep 24, 2009, at 9:29, Jason Wallace <jason.r.wallace () gmail com> wrote:I would like to suppress all alerts from our external vulnerability scanning service. Their scans can come from numerous IP ranges. The README.filters states that for "suppress" "Multiple suppress commands may be defined for a given gid, sid"
This is still restricted to multiple suppressions for non-zero gid and non-zero sid.
I know in the past you could only have one suppress gen_id 0, sig_id 0 statement in threshold.conf. Has this changed now? I'd like to do... suppress gen_id 0, sig_id 0, track by_src, ip x.x.x.x/24 suppress gen_id 0, sig_id 0, track by_src, ip y.y.y.y/24
You can't have multiple 0,0 suppressions but you can use an ip list like this: suppress gen_id 0, sig_id 0, track by_src, ip [x.x.x.x/24,y.y.y.y/24]
and so on. It also states that a list of IP's can be used. Is this just a single CIDR or can you have multipule CIDR/individual IPs on one suppress statement now? If so what is the correct format to use?
Details on IP lists are in the snort manaul. In summary, an IP list starts with '[' and ends with ']', and contains a comma separated list of IPs, CIDRs, or IP lists (they can be nested). Items may be negated by preceding with a '!'.
Thx, Wally --- --- --- --------------------------------------------------------------------- Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New Suppress Jason Wallace (Sep 24)
- Re: New Suppress JJ Cummings (Sep 24)
- Re: New Suppress rcombs (Sep 24)
- Re: New Suppress Jack Pepper (Sep 24)
- Re: New Suppress Jason Brvenik (Sep 24)
- Re: New Suppress JJ Cummings (Sep 24)