Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help with Suppression

From: Eugenio Pérez via Snort-devel <snort-devel () lists snort org>
Date: Sat, 23 Feb 2019 12:13:10 +0100
Hi, Thanos!

I'm not sure if this will match what you are looking for, or the way you
want to achieve it, but I did a patch for adding the by src AND dst
suppression filters. Sadly, I do not maintain the original repository since
2016 (snort version 2.9.8.3), but I think that the patch should match
easily with last Snort 2.x, and maybe with Snort 3.x. I'm happy to update
the patch with the last Snort version.

https://github.com/eugpermar/snort/tree/feature/sIP_dIP_filters

If that is OK for you, please be sure to only use the
"feature/sIP_dIP_filters" branch, since the "master" branch does contain
other patches that you may not want to apply (they are described in README).

Hope that it works for you. Regards!

El sáb., 23 feb. 2019 a las 12:01, Thanos Constantopoulos via Snort-devel (<
snort-devel () lists snort org>) escribió:


Hello All,



I’m resending this because if you can clarify the below:



What I’m trying to achieve is the below:

Suppress specific signature (done)

Suppress specific signature from a specific source IP (done)

Suppress specific signature from a specific destination IP (done)

Suppress specific signature from a specific IP address by_src and/or
by_dst (is this possible?)

Global suppress (0:0) a specific source IP (done)

Global suppress (0:0) a specific destination IP (done)

Global suppress (0:0) a specific IP address by_src and/or by_dst (is this
possible?)





You mentioned about multiple policies. How can I create multiple policies?

Is there a way to place the suppression rules to a different file and
include this to snort.lua?





Thanks




--------------------------------------------------------------------------------------------------------------------------





Hello Russ



Yes these are built in rules and i was trying to also add a global

suppresion for all signatures. I tried to comment the signature from

the builtin rules but that didn't work.

Can you please explain a bit more about the multiple policies? How can

i implement this?




Message: 1



Date: Fri, 8 Feb 2019 12:29:19 -0500



From: Russ <rucombs () cisco com>



To: snort-devel () lists snort org



Subject: Re: [Snort-devel] Help with Suppression



Message-ID: <c9cc45b0-8f82-cc40-5b0d-7b877991619a () cisco com>



Content-Type: text/plain; charset=utf-8; format=flowed







Hey Thanos,







You can only set one suppression per gid:sid pair so you can't at the



moment fully exclude a gid:sid by suppression.







Are the alerts you are trying to suppress with 0:0 based on builtin



rules?? You may be able configure multiple policies differently to work



around some cases.







Also, I'm curious about your suppression of 119:225 and 119:228. Can you



share any data on those like -A cmg output or maybe a pcap?







Thanks



Russ







On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:



Hello All,







We are running Snort3.0.0-250 as IDS and we are trying to suppress



several IP addresses from the logs (global suppression from all



signatures). In order to perform this for specific IP addresses by



source we add the below under snort.lua







suppress =







{



{ gid = 119, sid = 228 },



{ gid = 119, sid 225 },



{ gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =

'192.168.10.10' },


}







My questions are:







- Is there a way to use additional suppresion rules to cover by_src



with the same gid and sid?



- Is there a way to use additional suppresion rules to cover by_src



and by_dst, to totally exluded a subnet or IP address?



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!















------------------------------







Message: 2



Date: Fri, 8 Feb 2019 17:28:12 +0000



From: Tim Townsend <Tim () SaifulBouquet com>



To: "snort-devel () lists snort org" <snort-devel () lists snort org>



Subject: Re: [Snort-devel] Help with Suppression



Message-ID:



        <abdb6d7cf9d44774ad0e4d28ef410cef@Mail.SaifulBouquet.local>



Content-Type: text/plain; charset="utf-8"







I have removed myself from this group several times through the website

but I am still getting emails. Can someone please remove me?






Thanks







TIM TOWNSEND



IT Director











-----Original Message-----



From: Snort-devel [mailto:snort-devel-bounces () lists snort org] On

Behalf Of Russ via Snort-devel


Sent: Friday, February 08, 2019 9:29 AM



To: snort-devel () lists snort org



Subject: Re: [Snort-devel] Help with Suppression







Hey Thanos,







You can only set one suppression per gid:sid pair so you can't at the

moment fully exclude a gid:sid by suppression.






Are the alerts you are trying to suppress with 0:0 based on builtin

rules?? You may be able configure multiple policies differently to work
around some cases.






Also, I'm curious about your suppression of 119:225 and 119:228. Can you

share any data on those like -A cmg output or maybe a pcap?






Thanks



Russ







On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:



Hello All,







We are running Snort3.0.0-250 as IDS and we are trying to suppress



several IP addresses from the logs (global suppression from all



signatures). In order to perform this for specific IP addresses by



source we add the below under snort.lua







suppress =







{



{ gid = 119, sid = 228 },



{ gid = 119, sid 225 },



{ gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =



'192.168.10.10' }, }







My questions are:







- Is there a way to use additional suppresion rules to cover by_src



with the same gid and sid?



- Is there a way to use additional suppresion rules to cover by_src



and by_dst, to totally exluded a subnet or IP address?



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!







_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!







------------------------------







Message: 3



Date: Fri, 8 Feb 2019 19:35:15 +0000 (UTC)



From: "lbelyeu71 () gmail com" <lbelyeu71 () gmail com>



To: "snort-devel () lists snort org" <snort-devel () lists snort org>,  Tim



        Townsend <Tim () SaifulBouquet com>



Subject: Re: [Snort-devel] Help with Suppression



Message-ID: <204005713.560161.1549654515221 () mail yahoo com>



Content-Type: text/plain; charset="utf-8"







 Please remove me as well. No longer in this Profession.







    On Friday, February 8, 2019, 11:35:47 AM CST, Tim Townsend

<Tim () SaifulBouquet com> wrote:






 I have removed myself from this group several times through the website

but I am still getting emails. Can someone please remove me?






Thanks







TIM TOWNSEND



IT Director











-----Original Message-----



From: Snort-devel [mailto:snort-devel-bounces () lists snort org] On

Behalf Of Russ via Snort-devel


Sent: Friday, February 08, 2019 9:29 AM



To: snort-devel () lists snort org



Subject: Re: [Snort-devel] Help with Suppression







Hey Thanos,







You can only set one suppression per gid:sid pair so you can't at the

moment fully exclude a gid:sid by suppression.






Are the alerts you are trying to suppress with 0:0 based on builtin

rules?? You may be able configure multiple policies differently to work
around some cases.






Also, I'm curious about your suppression of 119:225 and 119:228. Can you

share any data on those like -A cmg output or maybe a pcap?






Thanks



Russ







On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:



Hello All,







We are running Snort3.0.0-250 as IDS and we are trying to suppress



several IP addresses from the logs (global suppression from all



signatures). In order to perform this for specific IP addresses by



source we add the below under snort.lua







suppress =







{



{ gid = 119, sid = 228 },



{ gid = 119, sid 225 },



{ gid? = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =



'192.168.10.10' }, }







My questions are:







- Is there a way to use additional suppresion rules to cover by_src



with the same gid and sid?



- Is there a way to use additional suppresion rules to cover by_src



and by_dst, to totally exluded a subnet or IP address?



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!







_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!







-------------- next part --------------



An HTML attachment was scrubbed...



URL: <

https://lists.snort.org/pipermail/snort-devel/attachments/20190208/d8a011bc/attachment-0001.html









------------------------------







Message: 4



Date: Fri, 8 Feb 2019 17:04:08 -0500



From: Aaron Taylor <aaroncurtistaylor () gmail com>



To: snort-devel () lists snort org



Subject: [Snort-devel] remove from list



Message-ID:



        <CABU9SvWQWX2VdRZ+CvEn2fg-J14VHd3xazC-oY=

bFLxEy4_a4g () mail gmail com>


Content-Type: text/plain; charset="UTF-8"







I have also unsubscribed but somehow still getting emails. Please



remove me from the list.











------------------------------







Message: 5



Date: Sat, 9 Feb 2019 15:25:50 +0800



From: Mel Griffiths <melsphonemail () gmail com>



To: snort-devel () lists snort org



Subject: [Snort-devel] Fwd:  remove from list



Message-ID:



        <CA+0kOjcT5=Z+OtBMRQrn=

gEusuVJ7zsibtKgvNfc03MGdou7VQ () mail gmail com>


Content-Type: text/plain; charset="utf-8"







Could you please also remove me from this list?







Thanks.











---------- Forwarded message ---------



From: Aaron Taylor via Snort-devel <snort-devel () lists snort org>



Date: Sat, 9 Feb. 2019, 06:06



Subject: [Snort-devel] remove from list



To: <snort-devel () lists snort org>











I have also unsubscribed but somehow still getting emails. Please



remove me from the list.



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!



-------------- next part --------------



An HTML attachment was scrubbed...



URL: <

https://lists.snort.org/pipermail/snort-devel/attachments/20190209/c7b5f81e/attachment.html









------------------------------







Subject: Digest Footer







_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel











------------------------------







End of Snort-devel Digest, Vol 20, Issue 2



******************************************






------------------------------



Message: 3

Date: Mon, 11 Feb 2019 09:36:23 -0500

From: Russ <rucombs () cisco com>

To: snort-devel () lists snort org

Subject: Re: [Snort-devel] Snort-devel Digest, Vol 20, Issue 2

Message-ID: <39c7db5c-2d8e-e871-f098-9ebad0064f20 () cisco com>

Content-Type: text/plain; charset=utf-8; format=flowed



Commenting out the rule will disable it completely.? Make sure you are

not also setting ips.enable_builtin_rules = true.? That setting is just

to enable the builtin rules w/o using the rule stubs.



On 2/11/19 3:35 AM, Thanos Constantopoulos via Snort-devel wrote:


Hello Russ







Yes these are built in rules and i was trying to also add a global



suppresion for all signatures. I tried to comment the signature from



the builtin rules but that didn't work.



Can you please explain a bit more about the multiple policies? How can



i implement this?











On Fri, Feb 8, 2019 at 11:30 PM <snort-devel-request () lists snort org>

wrote:


Send Snort-devel mailing list submissions to



         snort-devel () lists snort org







To subscribe or unsubscribe via the World Wide Web, visit



         https://lists.snort.org/mailman/listinfo/snort-devel



or, via email, send a message with subject or body 'help' to



         snort-devel-request () lists snort org







You can reach the person managing the list at



         snort-devel-owner () lists snort org







When replying, please edit your Subject line so it is more specific



than "Re: Contents of Snort-devel digest..."











Today's Topics:







    1. Re: Help with Suppression (Russ)



    2. Re: Help with Suppression (Tim Townsend)



    3. Re: Help with Suppression (lbelyeu71 () gmail com)



    4. remove from list (Aaron Taylor)



    5. Fwd:  remove from list (Mel Griffiths)











----------------------------------------------------------------------







Message: 1



Date: Fri, 8 Feb 2019 12:29:19 -0500



From: Russ <rucombs () cisco com>



To: snort-devel () lists snort org



Subject: Re: [Snort-devel] Help with Suppression



Message-ID: <c9cc45b0-8f82-cc40-5b0d-7b877991619a () cisco com>



Content-Type: text/plain; charset=utf-8; format=flowed







Hey Thanos,







You can only set one suppression per gid:sid pair so you can't at the



moment fully exclude a gid:sid by suppression.







Are the alerts you are trying to suppress with 0:0 based on builtin



rules?? You may be able configure multiple policies differently to work



around some cases.







Also, I'm curious about your suppression of 119:225 and 119:228. Can you



share any data on those like -A cmg output or maybe a pcap?







Thanks



Russ







On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:



Hello All,







We are running Snort3.0.0-250 as IDS and we are trying to suppress



several IP addresses from the logs (global suppression from all



signatures). In order to perform this for specific IP addresses by



source we add the below under snort.lua







suppress =







{



{ gid = 119, sid = 228 },



{ gid = 119, sid 225 },



{ gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =

'192.168.10.10' },


}







My questions are:







- Is there a way to use additional suppresion rules to cover by_src



with the same gid and sid?



- Is there a way to use additional suppresion rules to cover by_src



and by_dst, to totally exluded a subnet or IP address?



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!











------------------------------







Message: 2



Date: Fri, 8 Feb 2019 17:28:12 +0000



From: Tim Townsend <Tim () SaifulBouquet com>



To: "snort-devel () lists snort org" <snort-devel () lists snort org>



Subject: Re: [Snort-devel] Help with Suppression



Message-ID:



         <abdb6d7cf9d44774ad0e4d28ef410cef@Mail.SaifulBouquet.local>



Content-Type: text/plain; charset="utf-8"







I have removed myself from this group several times through the website

but I am still getting emails. Can someone please remove me?






Thanks







TIM TOWNSEND



IT Director











-----Original Message-----



From: Snort-devel [mailto:snort-devel-bounces () lists snort org] On

Behalf Of Russ via Snort-devel


Sent: Friday, February 08, 2019 9:29 AM



To: snort-devel () lists snort org



Subject: Re: [Snort-devel] Help with Suppression







Hey Thanos,







You can only set one suppression per gid:sid pair so you can't at the

moment fully exclude a gid:sid by suppression.






Are the alerts you are trying to suppress with 0:0 based on builtin

rules?? You may be able configure multiple policies differently to work
around some cases.






Also, I'm curious about your suppression of 119:225 and 119:228. Can

you share any data on those like -A cmg output or maybe a pcap?






Thanks



Russ







On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:



Hello All,







We are running Snort3.0.0-250 as IDS and we are trying to suppress



several IP addresses from the logs (global suppression from all



signatures). In order to perform this for specific IP addresses by



source we add the below under snort.lua







suppress =







{



{ gid = 119, sid = 228 },



{ gid = 119, sid 225 },



{ gid  = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =



'192.168.10.10' }, }







My questions are:







- Is there a way to use additional suppresion rules to cover by_src



with the same gid and sid?



- Is there a way to use additional suppresion rules to cover by_src



and by_dst, to totally exluded a subnet or IP address?



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!







------------------------------







Message: 3



Date: Fri, 8 Feb 2019 19:35:15 +0000 (UTC)



From: "lbelyeu71 () gmail com" <lbelyeu71 () gmail com>



To: "snort-devel () lists snort org" <snort-devel () lists snort org>,  Tim



         Townsend <Tim () SaifulBouquet com>



Subject: Re: [Snort-devel] Help with Suppression



Message-ID: <204005713.560161.1549654515221 () mail yahoo com>



Content-Type: text/plain; charset="utf-8"







  Please remove me as well. No longer in this Profession.







     On Friday, February 8, 2019, 11:35:47 AM CST, Tim Townsend

<Tim () SaifulBouquet com> wrote:






  I have removed myself from this group several times through the

website but I am still getting emails. Can someone please remove me?






Thanks







TIM TOWNSEND



IT Director











-----Original Message-----



From: Snort-devel [mailto:snort-devel-bounces () lists snort org] On

Behalf Of Russ via Snort-devel


Sent: Friday, February 08, 2019 9:29 AM



To: snort-devel () lists snort org



Subject: Re: [Snort-devel] Help with Suppression







Hey Thanos,







You can only set one suppression per gid:sid pair so you can't at the

moment fully exclude a gid:sid by suppression.






Are the alerts you are trying to suppress with 0:0 based on builtin

rules?? You may be able configure multiple policies differently to work
around some cases.






Also, I'm curious about your suppression of 119:225 and 119:228. Can

you share any data on those like -A cmg output or maybe a pcap?






Thanks



Russ







On 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:



Hello All,







We are running Snort3.0.0-250 as IDS and we are trying to suppress



several IP addresses from the logs (global suppression from all



signatures). In order to perform this for specific IP addresses by



source we add the below under snort.lua







suppress =







{



{ gid = 119, sid = 228 },



{ gid = 119, sid 225 },



{ gid? = 0, sid =0, track = by_src, ip = '10.10.10.10', ip =



'192.168.10.10' }, }







My questions are:







- Is there a way to use additional suppresion rules to cover by_src



with the same gid and sid?



- Is there a way to use additional suppresion rules to cover by_src



and by_dst, to totally exluded a subnet or IP address?



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!







-------------- next part --------------



An HTML attachment was scrubbed...



URL: <

https://lists.snort.org/pipermail/snort-devel/attachments/20190208/d8a011bc/attachment-0001.html









------------------------------







Message: 4



Date: Fri, 8 Feb 2019 17:04:08 -0500



From: Aaron Taylor <aaroncurtistaylor () gmail com>



To: snort-devel () lists snort org



Subject: [Snort-devel] remove from list



Message-ID:



         <CABU9SvWQWX2VdRZ+CvEn2fg-J14VHd3xazC-oY=

bFLxEy4_a4g () mail gmail com>


Content-Type: text/plain; charset="UTF-8"







I have also unsubscribed but somehow still getting emails. Please



remove me from the list.











------------------------------







Message: 5



Date: Sat, 9 Feb 2019 15:25:50 +0800



From: Mel Griffiths <melsphonemail () gmail com>



To: snort-devel () lists snort org



Subject: [Snort-devel] Fwd:  remove from list



Message-ID:



         <CA+0kOjcT5=Z+OtBMRQrn=

gEusuVJ7zsibtKgvNfc03MGdou7VQ () mail gmail com>


Content-Type: text/plain; charset="utf-8"







Could you please also remove me from this list?







Thanks.











---------- Forwarded message ---------



From: Aaron Taylor via Snort-devel <snort-devel () lists snort org>



Date: Sat, 9 Feb. 2019, 06:06



Subject: [Snort-devel] remove from list



To: <snort-devel () lists snort org>











I have also unsubscribed but somehow still getting emails. Please



remove me from the list.



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!



-------------- next part --------------



An HTML attachment was scrubbed...



URL: <

https://lists.snort.org/pipermail/snort-devel/attachments/20190209/c7b5f81e/attachment.html









------------------------------







Subject: Digest Footer







_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel











------------------------------







End of Snort-devel Digest, Vol 20, Issue 2



******************************************



_______________________________________________



Snort-devel mailing list



Snort-devel () lists snort org



https://lists.snort.org/mailman/listinfo/snort-devel







Please visit http://blog.snort.org for the latest news about Snort!








------------------------------



Subject: Digest Footer



_______________________________________________

Snort-devel mailing list

Snort-devel () lists snort org

https://lists.snort.org/mailman/listinfo/snort-devel





------------------------------



End of Snort-devel Digest, Vol 20, Issue 3

******************************************


_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: