Snort mailing list archives
Re: Preprocessing rule blocking
From: SnortFan <SnortFan () yahoo com>
Date: Fri, 24 May 2013 14:04:06 -0400
Never mind. This sensor is at remote location that is having network issues and it's actually still writing data into the database that is two days old. So I'm just chasing my tail here. I bet it's working be ause the suppression is working at another location. Thanks, Ed Sent from a mobile device. On May 24, 2013, at 10:23 AM, SnortFan <SnortFan () yahoo com> wrote:
Update: Here's from the startup output and I can see its reading the suppression however the 137:1 's are still getting alerts. +-----------------------[detection-filter-config]------------------------------ | memory-cap : 1048576 bytes +-----------------------[detection-filter-rules]------------------------------- ------------------------------------------------------------------------------- +-----------------------[rate-filter-config]----------------------------------- | memory-cap : 1048576 bytes +-----------------------[rate-filter-rules]------------------------------------ | none ------------------------------------------------------------------------------- +-----------------------[event-filter-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[event-filter-global]---------------------------------- | none +-----------------------[event-filter-local]----------------------------------- | none+-----------------------[suppression]------------------------------------------ | gen-id=1 sig-id=1000120 tracking=dst-ip=<list> | gen-id=119 sig-id=27 tracking=none | gen-id=119 sig-id=32 tracking=none | gen-id=120 sig-id=8 tracking=none | gen-id=120 sig-id=3 tracking=none | gen-id=124 sig-id=1 tracking=src-ip=<list> | gen-id=124 sig-id=1 tracking=src-ip=<list> | gen-id=137 sig-id=1 tracking=none ------------------------------------------------------------------------------- Sent from a mobile device. On May 24, 2013, at 9:00 AM, SnortFan <SnortFan () yahoo com> wrote:I decided to try to suppress using: Suppress gen_id 137, sig_id 1 But suppression doesn't seem to work, after restarting snort the alerts still get through. If I try at the snort.conf by commenting out the preprocessor wouldn't I be suppressing all SSL alerts? Thanks, Sent from a mobile device. On May 23, 2013, at 8:00 PM, waldo kitty <wkitty42 () windstream net> wrote:On 5/23/2013 15:15, SnortFan wrote:Hi All, If I want to limit or block all reporting on Snort Alert [137:1:0] Would this work to limit it to one for every minute via the threshold.conf. Is there an easy way to block it all together? event_filter \ gen_id 137, sig_id 1, \ type limit, track by_src, \ count 1, seconds 60yes, that will limit is to one alert every minute... to disable it completely, you might comment the rule out in your preproc_rules/preprocessor.rules file if you are using that... i /think/ that's where the stub is located... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Preprocessing rule blocking SnortFan (May 23)
- Re: Preprocessing rule blocking waldo kitty (May 23)
- Re: Preprocessing rule blocking SnortFan (May 24)
- Re: Preprocessing rule blocking SnortFan (May 24)
- Re: Preprocessing rule blocking SnortFan (May 24)
- Re: Preprocessing rule blocking waldo kitty (May 24)
- Re: Preprocessing rule blocking SnortFan (May 24)
- Re: Preprocessing rule blocking waldo kitty (May 23)