Re: New Suppress

[rcombs <rcombs () sourcefire com>]

Wally, comments inline below.
Russ

On Thu, Sep 24, 2009 at 9:53 AM, JJ Cummings <cummingsj () gmail com> wrote:

> BPF would also be a good option...
>
> Sent from the iRoad
>
> On Sep 24, 2009, at 9:29, Jason Wallace <jason.r.wallace () gmail com>
> wrote:
>
> > I would like to suppress all alerts from our external vulnerability
> > scanning service. Their scans can come from numerous IP ranges.
> >
> > The README.filters states that for "suppress" "Multiple suppress
> > commands may be defined for a given gid, sid"

This is still restricted to multiple suppressions for non-zero gid and
non-zero sid.

> > I know in the past you could only have one suppress gen_id 0, sig_id 0
> > statement in threshold.conf. Has this changed now? I'd like to do...
> >
> > suppress gen_id 0, sig_id 0, track by_src, ip x.x.x.x/24
> > suppress gen_id 0, sig_id 0, track by_src, ip y.y.y.y/24

You can't have multiple 0,0 suppressions but you can use an ip list like
this:

 suppress gen_id 0, sig_id 0, track by_src, ip [x.x.x.x/24,y.y.y.y/24]

> > and so on.
> >
> > It also states that a list of IP's can be used. Is this just a single
> > CIDR or can you have multipule CIDR/individual IPs on one suppress
> > statement now? If so what is the correct format to use?

Details on IP lists are in the snort manaul.  In summary, an IP list starts
with '[' and ends with ']', and contains a comma separated list of IPs,
CIDRs, or IP lists (they can be nested).  Items may be negated by preceding
with a '!'.

> > Thx,
> > Wally
> >
> > ---
> > ---
> > ---
> > ---------------------------------------------------------------------
> > Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> > is the only developer event you need to attend this year. Jumpstart
> > your
> > developing skills, take BlackBerry mobile applications to market and
> > stay
> > ahead of the curve. Join us from November 9&#45;12, 2009. Register
> > now&#33;
> > http://p.sf.net/sfu/devconf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users