Re: Preprocessing rule blocking

[SnortFan <SnortFan () yahoo com>]

Never mind. This sensor is at remote location that is having network issues and it's actually still writing data into 
the database that is two days old. So I'm just chasing my tail here. I bet it's working be ause the suppression is 
working at another location.  

Thanks,
Ed

Sent from a mobile device. 

On May 24, 2013, at 10:23 AM, SnortFan <SnortFan () yahoo com> wrote:

> Update: 
>      Here's from the startup output and I can see its reading the suppression however the 137:1 's are still getting 
> alerts. 
>
> +-----------------------[detection-filter-config]------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[detection-filter-rules]-------------------------------
> -------------------------------------------------------------------------------
>
> +-----------------------[rate-filter-config]-----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[rate-filter-rules]------------------------------------
> | none
> -------------------------------------------------------------------------------
>
> +-----------------------[event-filter-config]----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[event-filter-global]----------------------------------
> | none
> +-----------------------[event-filter-local]-----------------------------------
> | none+-----------------------[suppression]------------------------------------------
> | gen-id=1      sig-id=1000120    tracking=dst-ip=<list>          
> | gen-id=119    sig-id=27         tracking=none
> | gen-id=119    sig-id=32         tracking=none
> | gen-id=120    sig-id=8          tracking=none
> | gen-id=120    sig-id=3          tracking=none
> | gen-id=124    sig-id=1          tracking=src-ip=<list>          
> | gen-id=124    sig-id=1          tracking=src-ip=<list>          
> | gen-id=137    sig-id=1          tracking=none
> -------------------------------------------------------------------------------
>
> Sent from a mobile device. 
>
> On May 24, 2013, at 9:00 AM, SnortFan <SnortFan () yahoo com> wrote:
>
> > I decided to try to suppress using:
> >
> > Suppress gen_id 137, sig_id 1
> >
> > But suppression doesn't seem to work, after restarting snort the alerts still get through. 
> >
> > If I try at the snort.conf by commenting out the preprocessor wouldn't I be suppressing all SSL alerts? 
> >
> > Thanks, 
> >
> > Sent from a mobile device. 
> >
> > On May 23, 2013, at 8:00 PM, waldo kitty <wkitty42 () windstream net> wrote:
> >
> > > On 5/23/2013 15:15, SnortFan wrote:
> > > > Hi All,
> > > >    If I want to limit or block all reporting on Snort Alert [137:1:0]
> > > >
> > > > Would this work to limit it to one for every minute via the threshold.conf. Is there an easy way to block it all 
> > > > together?
> > > >
> > > > event_filter \
> > > >   gen_id 137, sig_id 1, \
> > > >   type limit, track by_src, \
> > > >   count 1, seconds 60
> > >
> > > yes, that will limit is to one alert every minute...
> > >
> > > to disable it completely, you might comment the rule out in your 
> > > preproc_rules/preprocessor.rules file if you are using that... i /think/ that's 
> > > where the stub is located...
> > >
> > > -- 
> > > NOTE: No off-list assistance is given without prior approval.
> > >      Please keep mailing list traffic on the list unless
> > >      private contact is specifically requested and granted.
> > >
> > > ------------------------------------------------------------------------------
> > > Try New Relic Now & We'll Send You this Cool Shirt
> > > New Relic is the only SaaS-based application performance monitoring service 
> > > that delivers powerful full stack analytics. Optimize and monitor your
> > > browser, app, & servers with just a few lines of code. Try New Relic
> > > and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> > ------------------------------------------------------------------------------
> > Try New Relic Now & We'll Send You this Cool Shirt
> > New Relic is the only SaaS-based application performance monitoring service 
> > that delivers powerful full stack analytics. Optimize and monitor your
> > browser, app, & servers with just a few lines of code. Try New Relic
> > and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service 
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!