Snort mailing list archives
Re: Fine tuning Snort
From: "James Lay" <jlay () slave-tothe-box net>
Date: Fri, 8 Oct 2010 07:55:01 -0600
Oh good grief...there it is in pretty blue in vim 8-| Turning 41 apparently means needing glasses....thanks Joel. James
The best examples for suppressions are in the threshold.conf file. J On Oct 8, 2010, at 8:47 AM, James Lay wrote:What the .I looked all through the snort pdf too and since I didn't see an example showing that I uh well assumed ..heh..you've saved me a BUNCH of time..thanks Scott. Jam From: ScottO <skippylou () gmail com> Date: Fri, 8 Oct 2010 08:31:57 -0400 To: James Lay <jlay () slave-tothe-box net> Cc: Snort <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Fine tuning Snort James, You can specify cidr notation for address blocks in threshold.conf, something like: suppress gen_id 1, sig_id 11111, track by_src, ip 10.1.2.0/24 Hope that helps, scott On Fri, Oct 8, 2010 at 8:24 AM, James Lay <jlay () slave-tothe-box net> wrote:Thanks Waldo, It's been quite interesting...I have at least four rules that look for executables...and as I look at the threshold file I can only threshold against one IP at a time...meaning I've got a lot of work to do as I have to add pretty much most of google and windowsupdate.com ;) Even thought I'm tempted to simply start snort to not monitor those netblocks, eh...I'd rather do the right thing. Thanks again for the help. James On 10/7/10 10:23 PM, "waldo kitty" <wkitty42 () windstream net> wrote:On 10/7/2010 14:02, James Lay wrote:Kevin and Waldo, you gents are treasuresI will get to work andreportmy resultsthank you much!something else to thing about concerning rules that you would just totally suppress in threshold.conf... if they are completely suppressed thenyoumight as well comment them out of the rules set so they do not consume any memory and snort won't waste any time loading them just to be ignoring them...but iguess this also depends on your tools and management systems... some may use only threshold to "disable" rules where others may actually comment them in the rules sets files... personally, i think the threshold file is best tosuppresscertain rules for certain IPs... total suppression is the same as disabledso...;) -------------------------------------------------------------------------- ---- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creatinggreatexperiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fine tuning Snort James Lay (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- <Possible follow-ups>
- Re: Fine tuning Snort James Lay (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort ScottO (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort Joel Esler (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort Jefferson, Shawn (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 09)
- Re: Fine tuning Snort Joel Esler (Oct 09)