Snort mailing list archives
Re: Snort-devel Digest, Vol 20, Issue 2
From: Thanos Constantopoulos via Snort-devel <snort-devel () lists snort org>
Date: Mon, 11 Feb 2019 00:35:49 -0800
Hello Russ Yes these are built in rules and i was trying to also add a global suppresion for all signatures. I tried to comment the signature from the builtin rules but that didn't work. Can you please explain a bit more about the multiple policies? How can i implement this? On Fri, Feb 8, 2019 at 11:30 PM <snort-devel-request () lists snort org> wrote:
Send Snort-devel mailing list submissions to snort-devel () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists snort org You can reach the person managing the list at snort-devel-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. Re: Help with Suppression (Russ) 2. Re: Help with Suppression (Tim Townsend) 3. Re: Help with Suppression (lbelyeu71 () gmail com) 4. remove from list (Aaron Taylor) 5. Fwd: remove from list (Mel Griffiths) ---------------------------------------------------------------------- Message: 1 Date: Fri, 8 Feb 2019 12:29:19 -0500 From: Russ <rucombs () cisco com> To: snort-devel () lists snort org Subject: Re: [Snort-devel] Help with Suppression Message-ID: <c9cc45b0-8f82-cc40-5b0d-7b877991619a () cisco com> Content-Type: text/plain; charset=utf-8; format=flowed Hey Thanos, You can only set one suppression per gid:sid pair so you can't at the moment fully exclude a gid:sid by suppression. Are the alerts you are trying to suppress with 0:0 based on builtin rules?? You may be able configure multiple policies differently to work around some cases. Also, I'm curious about your suppression of 119:225 and 119:228. Can you share any data on those like -A cmg output or maybe a pcap? Thanks Russ On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:Hello All, We are running Snort3.0.0-250 as IDS and we are trying to suppress several IP addresses from the logs (global suppression from all signatures). In order to perform this for specific IP addresses by source we add the below under snort.lua suppress = { { gid = 119, sid = 228 }, { gid = 119, sid 225 }, { gid = 0, sid =0, track = by_src, ip = '10.10.10.10', ip = '192.168.10.10' }, } My questions are: - Is there a way to use additional suppresion rules to cover by_src with the same gid and sid? - Is there a way to use additional suppresion rules to cover by_src and by_dst, to totally exluded a subnet or IP address? _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!------------------------------ Message: 2 Date: Fri, 8 Feb 2019 17:28:12 +0000 From: Tim Townsend <Tim () SaifulBouquet com> To: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: Re: [Snort-devel] Help with Suppression Message-ID: <abdb6d7cf9d44774ad0e4d28ef410cef@Mail.SaifulBouquet.local> Content-Type: text/plain; charset="utf-8" I have removed myself from this group several times through the website but I am still getting emails. Can someone please remove me? Thanks TIM TOWNSEND IT Director -----Original Message----- From: Snort-devel [mailto:snort-devel-bounces () lists snort org] On Behalf Of Russ via Snort-devel Sent: Friday, February 08, 2019 9:29 AM To: snort-devel () lists snort org Subject: Re: [Snort-devel] Help with Suppression Hey Thanos, You can only set one suppression per gid:sid pair so you can't at the moment fully exclude a gid:sid by suppression. Are the alerts you are trying to suppress with 0:0 based on builtin rules?? You may be able configure multiple policies differently to work around some cases. Also, I'm curious about your suppression of 119:225 and 119:228. Can you share any data on those like -A cmg output or maybe a pcap? Thanks Russ On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:Hello All, We are running Snort3.0.0-250 as IDS and we are trying to suppress several IP addresses from the logs (global suppression from all signatures). In order to perform this for specific IP addresses by source we add the below under snort.lua suppress = { { gid = 119, sid = 228 }, { gid = 119, sid 225 }, { gid = 0, sid =0, track = by_src, ip = '10.10.10.10', ip = '192.168.10.10' }, } My questions are: - Is there a way to use additional suppresion rules to cover by_src with the same gid and sid? - Is there a way to use additional suppresion rules to cover by_src and by_dst, to totally exluded a subnet or IP address? _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort! ------------------------------ Message: 3 Date: Fri, 8 Feb 2019 19:35:15 +0000 (UTC) From: "lbelyeu71 () gmail com" <lbelyeu71 () gmail com> To: "snort-devel () lists snort org" <snort-devel () lists snort org>, Tim Townsend <Tim () SaifulBouquet com> Subject: Re: [Snort-devel] Help with Suppression Message-ID: <204005713.560161.1549654515221 () mail yahoo com> Content-Type: text/plain; charset="utf-8" Please remove me as well. No longer in this Profession. On Friday, February 8, 2019, 11:35:47 AM CST, Tim Townsend <Tim () SaifulBouquet com> wrote: I have removed myself from this group several times through the website but I am still getting emails. Can someone please remove me? Thanks TIM TOWNSEND IT Director -----Original Message----- From: Snort-devel [mailto:snort-devel-bounces () lists snort org] On Behalf Of Russ via Snort-devel Sent: Friday, February 08, 2019 9:29 AM To: snort-devel () lists snort org Subject: Re: [Snort-devel] Help with Suppression Hey Thanos, You can only set one suppression per gid:sid pair so you can't at the moment fully exclude a gid:sid by suppression. Are the alerts you are trying to suppress with 0:0 based on builtin rules?? You may be able configure multiple policies differently to work around some cases. Also, I'm curious about your suppression of 119:225 and 119:228. Can you share any data on those like -A cmg output or maybe a pcap? Thanks Russ On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:Hello All, We are running Snort3.0.0-250 as IDS and we are trying to suppress several IP addresses from the logs (global suppression from all signatures). In order to perform this for specific IP addresses by source we add the below under snort.lua suppress = { { gid = 119, sid = 228 }, { gid = 119, sid 225 }, { gid? = 0, sid =0, track = by_src, ip = '10.10.10.10', ip = '192.168.10.10' }, } My questions are: - Is there a way to use additional suppresion rules to cover by_src with the same gid and sid? - Is there a way to use additional suppresion rules to cover by_src and by_dst, to totally exluded a subnet or IP address? _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort! _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort! -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190208/d8a011bc/attachment-0001.html> ------------------------------ Message: 4 Date: Fri, 8 Feb 2019 17:04:08 -0500 From: Aaron Taylor <aaroncurtistaylor () gmail com> To: snort-devel () lists snort org Subject: [Snort-devel] remove from list Message-ID: <CABU9SvWQWX2VdRZ+CvEn2fg-J14VHd3xazC-oY=bFLxEy4_a4g () mail gmail com> Content-Type: text/plain; charset="UTF-8" I have also unsubscribed but somehow still getting emails. Please remove me from the list. ------------------------------ Message: 5 Date: Sat, 9 Feb 2019 15:25:50 +0800 From: Mel Griffiths <melsphonemail () gmail com> To: snort-devel () lists snort org Subject: [Snort-devel] Fwd: remove from list Message-ID: <CA+0kOjcT5=Z+OtBMRQrn=gEusuVJ7zsibtKgvNfc03MGdou7VQ () mail gmail com> Content-Type: text/plain; charset="utf-8" Could you please also remove me from this list? Thanks. ---------- Forwarded message --------- From: Aaron Taylor via Snort-devel <snort-devel () lists snort org> Date: Sat, 9 Feb. 2019, 06:06 Subject: [Snort-devel] remove from list To: <snort-devel () lists snort org> I have also unsubscribed but somehow still getting emails. Please remove me from the list. _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort! -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190209/c7b5f81e/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel ------------------------------ End of Snort-devel Digest, Vol 20, Issue 2 ******************************************
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-devel Digest, Vol 20, Issue 2 Thanos Constantopoulos via Snort-devel (Feb 11)
- Re: Snort-devel Digest, Vol 20, Issue 2 Russ via Snort-devel (Feb 11)