Snort mailing list archives
Re: supress sid:1000002 ICMP alert
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Tue, 29 Sep 2009 10:37:54 -0600
When I was faced with a similar problem, I just copied the complete rule definition into local.rules and changed it to a pass rule with a different SID, shown below (ip addresses changed.) pass tcp 192.x.x.1 any -> 192.x.x.2 any (msg:"ET ATTACK_RESPONSE Adenau Shellcode False Positive"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009249; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:1500000; rev:2;) -----Original Message----- From: Ryan Jordan [mailto:jjordan () sourcefire com] Sent: Tuesday, September 29, 2009 9:37 AM To: Jefferson, Shawn Cc: Ron Kaye Jr; dvenman () sourcefire com; snort-users () lists sourceforge net; ny-sug () lists snort org Subject: Re: [Snort-users] supress sid:1000002 ICMP alert "suppress" has an option to only suppress a specific src or dst IP. Shawn is correct in that you cannot use both. format: suppress gen_id 1, sig_id 1000002, track by_dst, ip ip.of.snort.server Jefferson, Shawn wrote:
If you want to only ignore a rule for a specific src and dst pair, then AFAIK, you need to create a PASS rule. ------------------------------------------------------------------------ *From:* Ron Kaye Jr [mailto:rekaye1005 () verizon net] *Sent:* Tuesday, September 29, 2009 8:01 AM *To:* dvenman () sourcefire com; snort-users () lists sourceforge net; ny-sug () lists snort org *Subject:* [Snort-users] supress sid:1000002 ICMP alert thx here is my problem child 4 - 639531 2009-09-25 12:08:29 <FONT SIZE=-1>[<A HREF="signatures/1000002.txt" TARGET="_ACID_ALERT_DESC">local</A>]</FONT> <FONT SIZE=-1>[<A HREF="http://www.snort.org/pub-bin/sigs.cgi?sid=1:1000002"; TARGET="_ACID_ALERT_DESC">snort</A>]</FONT> Snort Alert [1:1000002:0] massive numbers of these ICMP alerts typically, a keepalive with source/destination router/snort server snort server/router but there are other src/dest which i would allow/monitor in threshold ... suppress gen_id 1, sig_id 1000002 would get everything any thoughts? do you use IDS Policy Manager (XP client) choked on that sid of 1000005 is that a non-snort, user-defined range? thx again Ron Kaye Jr 914-7294734 On Sep 28, 2009, **Dave Venman** <dvenman () sourcefire com> wrote: The "1" before the ":sid". Each different event generator (rules, SO rules, preprocessors) has its own, and 1 is rules, 3 is SO rules, etc. On 28 Sep 2009, at 18:49, Ron Kaye Jr <rekaye1005 () verizon net <mailto:rekaye1005 () verizon net>> wrote: see the sid, where da gid? Ron Kaye Jr 914-7294734 On Sep 28, 2009, **Dave Venman** <dvenman () sourcefire com <mailto:dvenman () sourcefire com>> wrote: If you mean, what are the SID and GID for the two rules shown, then the "sid=" parameter in the base output gives it all away. GID is 1, SID is 11974 or 11988. 2009/9/28 Ron Kaye Jr < <mailto:rekaye1005 () verizon net>rekaye1005 () verizon net <mailto:rekaye1005 () verizon net>> next ... how do i track done the gen_id and sid_id for my supression line in threshold.conf my "base" output for ... VOIP-SIP response too small D # Time Triggered Signature 4 - 315702 2009-09-24 09:07:10 <FONT SIZE=-1>[<A href=" <http://www.ietf.org/rfc/rfc3261.txt>http://www.ietf.org/rfc/rfc3261.txt"; TARGET="_ACID_ALERT_DESC">url</A>]</FONT> <FONT SIZE=-1>[<A href="signatures/11974.txt" TARGET="_ACID_ALERT_DESC">local</A>]</FONT> <FONT SIZE=-1>[<A href=" <http://www.snort.org/pub-bin/sigs.cgi?sid=1:11974>http://www.snort.org/pub-bin/sigs.cgi?sid=1:11974"; TARGET="_ACID_ALERT_DESC">snort</A>]</FONT> VOIP-SIP response too small VOIP-SIP From header format string attempt D # Time Triggered Signature 4 - 309836 2009-09-23 16:32:43 <FONT SIZE=-1>[<A href=" <http://www.ietf.org/rfc/rfc3261.txt>http://www.ietf.org/rfc/rfc3261.txt"; TARGET="_ACID_ALERT_DESC">url</A>]</FONT> <FONT SIZE=-1>[<A href=" <http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/>http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/"; TARGET="_ACID_ALERT_DESC">url</A>]</FONT> <FONT SIZE=-1>[<A href="signatures/11988.txt" TARGET="_ACID_ALERT_DESC">local</A>]</FONT> <FONT SIZE=-1>[<A href=" <http://www.snort.org/pub-bin/sigs.cgi?sid=1:11988>http://www.snort.org/pub-bin/sigs.cgi?sid=1:11988"; TARGET="_ACID_ALERT_DESC">snort</A>]</FONT> VOIP-SIP From header format string attempt thx Ron Kaye Jr 914-7294734 ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! <http://p.sf.net/sfu/devconf>http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list <mailto:Snort-users () lists sourceforge net>Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: <http://www.geocrawler.com/redir-sf.php3?list=snort-users>http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Dave Venman Security Engineer, Sourcefire Email: <mailto:dave.venman () sourcefire com>dave.venman () sourcefire com <mailto:dave.venman () sourcefire com> Mobile: +44 (7917) 168068 DDI: +44 (118) 989 8412 Fax: +44 (118) 989 8401 ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- supress sid:1000002 ICMP alert Ron Kaye Jr (Sep 29)
- Re: supress sid:1000002 ICMP alert Jefferson, Shawn (Sep 29)
- Re: supress sid:1000002 ICMP alert Ryan Jordan (Sep 29)
- Re: supress sid:1000002 ICMP alert Jefferson, Shawn (Sep 29)
- Re: supress sid:1000002 ICMP alert Ryan Jordan (Sep 29)
- Re: supress sid:1000002 ICMP alert Jefferson, Shawn (Sep 29)