Snort mailing list archives
Re: Help with Suppression
From: Eugenio Pérez via Snort-devel <snort-devel () lists snort org>
Date: Sat, 23 Feb 2019 12:13:10 +0100
Hi, Thanos! I'm not sure if this will match what you are looking for, or the way you want to achieve it, but I did a patch for adding the by src AND dst suppression filters. Sadly, I do not maintain the original repository since 2016 (snort version 2.9.8.3), but I think that the patch should match easily with last Snort 2.x, and maybe with Snort 3.x. I'm happy to update the patch with the last Snort version. https://github.com/eugpermar/snort/tree/feature/sIP_dIP_filters If that is OK for you, please be sure to only use the "feature/sIP_dIP_filters" branch, since the "master" branch does contain other patches that you may not want to apply (they are described in README). Hope that it works for you. Regards! El sáb., 23 feb. 2019 a las 12:01, Thanos Constantopoulos via Snort-devel (< snort-devel () lists snort org>) escribió:
Hello All, I’m resending this because if you can clarify the below: What I’m trying to achieve is the below: Suppress specific signature (done) Suppress specific signature from a specific source IP (done) Suppress specific signature from a specific destination IP (done) Suppress specific signature from a specific IP address by_src and/or by_dst (is this possible?) Global suppress (0:0) a specific source IP (done) Global suppress (0:0) a specific destination IP (done) Global suppress (0:0) a specific IP address by_src and/or by_dst (is this possible?) You mentioned about multiple policies. How can I create multiple policies? Is there a way to place the suppression rules to a different file and include this to snort.lua? Thanks -------------------------------------------------------------------------------------------------------------------------- Hello Russ Yes these are built in rules and i was trying to also add a global suppresion for all signatures. I tried to comment the signature from the builtin rules but that didn't work. Can you please explain a bit more about the multiple policies? How can i implement this?Message: 1Date: Fri, 8 Feb 2019 12:29:19 -0500From: Russ <rucombs () cisco com>To: snort-devel () lists snort orgSubject: Re: [Snort-devel] Help with SuppressionMessage-ID: <c9cc45b0-8f82-cc40-5b0d-7b877991619a () cisco com>Content-Type: text/plain; charset=utf-8; format=flowedHey Thanos,You can only set one suppression per gid:sid pair so you can't at themoment fully exclude a gid:sid by suppression.Are the alerts you are trying to suppress with 0:0 based on builtinrules?? You may be able configure multiple policies differently to workaround some cases.Also, I'm curious about your suppression of 119:225 and 119:228. Can youshare any data on those like -A cmg output or maybe a pcap?ThanksRussOn 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:Hello All,We are running Snort3.0.0-250 as IDS and we are trying to suppressseveral IP addresses from the logs (global suppression from allsignatures). In order to perform this for specific IP addresses bysource we add the below under snort.luasuppress ={{ gid = 119, sid = 228 },{ gid = 119, sid 225 },{ gid = 0, sid =0, track = by_src, ip = '10.10.10.10', ip ='192.168.10.10' },}My questions are:- Is there a way to use additional suppresion rules to cover by_srcwith the same gid and sid?- Is there a way to use additional suppresion rules to cover by_srcand by_dst, to totally exluded a subnet or IP address?_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!------------------------------Message: 2Date: Fri, 8 Feb 2019 17:28:12 +0000From: Tim Townsend <Tim () SaifulBouquet com>To: "snort-devel () lists snort org" <snort-devel () lists snort org>Subject: Re: [Snort-devel] Help with SuppressionMessage-ID:<abdb6d7cf9d44774ad0e4d28ef410cef@Mail.SaifulBouquet.local>Content-Type: text/plain; charset="utf-8"I have removed myself from this group several times through the websitebut I am still getting emails. Can someone please remove me?ThanksTIM TOWNSENDIT Director-----Original Message-----From: Snort-devel [mailto:snort-devel-bounces () lists snort org] OnBehalf Of Russ via Snort-develSent: Friday, February 08, 2019 9:29 AMTo: snort-devel () lists snort orgSubject: Re: [Snort-devel] Help with SuppressionHey Thanos,You can only set one suppression per gid:sid pair so you can't at themoment fully exclude a gid:sid by suppression.Are the alerts you are trying to suppress with 0:0 based on builtinrules?? You may be able configure multiple policies differently to work around some cases.Also, I'm curious about your suppression of 119:225 and 119:228. Can youshare any data on those like -A cmg output or maybe a pcap?ThanksRussOn 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:Hello All,We are running Snort3.0.0-250 as IDS and we are trying to suppressseveral IP addresses from the logs (global suppression from allsignatures). In order to perform this for specific IP addresses bysource we add the below under snort.luasuppress ={{ gid = 119, sid = 228 },{ gid = 119, sid 225 },{ gid = 0, sid =0, track = by_src, ip = '10.10.10.10', ip ='192.168.10.10' }, }My questions are:- Is there a way to use additional suppresion rules to cover by_srcwith the same gid and sid?- Is there a way to use additional suppresion rules to cover by_srcand by_dst, to totally exluded a subnet or IP address?_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!------------------------------Message: 3Date: Fri, 8 Feb 2019 19:35:15 +0000 (UTC)From: "lbelyeu71 () gmail com" <lbelyeu71 () gmail com>To: "snort-devel () lists snort org" <snort-devel () lists snort org>, TimTownsend <Tim () SaifulBouquet com>Subject: Re: [Snort-devel] Help with SuppressionMessage-ID: <204005713.560161.1549654515221 () mail yahoo com>Content-Type: text/plain; charset="utf-8"Please remove me as well. No longer in this Profession.On Friday, February 8, 2019, 11:35:47 AM CST, Tim Townsend<Tim () SaifulBouquet com> wrote:I have removed myself from this group several times through the websitebut I am still getting emails. Can someone please remove me?ThanksTIM TOWNSENDIT Director-----Original Message-----From: Snort-devel [mailto:snort-devel-bounces () lists snort org] OnBehalf Of Russ via Snort-develSent: Friday, February 08, 2019 9:29 AMTo: snort-devel () lists snort orgSubject: Re: [Snort-devel] Help with SuppressionHey Thanos,You can only set one suppression per gid:sid pair so you can't at themoment fully exclude a gid:sid by suppression.Are the alerts you are trying to suppress with 0:0 based on builtinrules?? You may be able configure multiple policies differently to work around some cases.Also, I'm curious about your suppression of 119:225 and 119:228. Can youshare any data on those like -A cmg output or maybe a pcap?ThanksRussOn 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:Hello All,We are running Snort3.0.0-250 as IDS and we are trying to suppressseveral IP addresses from the logs (global suppression from allsignatures). In order to perform this for specific IP addresses bysource we add the below under snort.luasuppress ={{ gid = 119, sid = 228 },{ gid = 119, sid 225 },{ gid? = 0, sid =0, track = by_src, ip = '10.10.10.10', ip ='192.168.10.10' }, }My questions are:- Is there a way to use additional suppresion rules to cover by_srcwith the same gid and sid?- Is there a way to use additional suppresion rules to cover by_srcand by_dst, to totally exluded a subnet or IP address?_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!-------------- next part --------------An HTML attachment was scrubbed...URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190208/d8a011bc/attachment-0001.html------------------------------Message: 4Date: Fri, 8 Feb 2019 17:04:08 -0500From: Aaron Taylor <aaroncurtistaylor () gmail com>To: snort-devel () lists snort orgSubject: [Snort-devel] remove from listMessage-ID:<CABU9SvWQWX2VdRZ+CvEn2fg-J14VHd3xazC-oY=bFLxEy4_a4g () mail gmail com>Content-Type: text/plain; charset="UTF-8"I have also unsubscribed but somehow still getting emails. Pleaseremove me from the list.------------------------------Message: 5Date: Sat, 9 Feb 2019 15:25:50 +0800From: Mel Griffiths <melsphonemail () gmail com>To: snort-devel () lists snort orgSubject: [Snort-devel] Fwd: remove from listMessage-ID:<CA+0kOjcT5=Z+OtBMRQrn=gEusuVJ7zsibtKgvNfc03MGdou7VQ () mail gmail com>Content-Type: text/plain; charset="utf-8"Could you please also remove me from this list?Thanks.---------- Forwarded message ---------From: Aaron Taylor via Snort-devel <snort-devel () lists snort org>Date: Sat, 9 Feb. 2019, 06:06Subject: [Snort-devel] remove from listTo: <snort-devel () lists snort org>I have also unsubscribed but somehow still getting emails. Pleaseremove me from the list._______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!-------------- next part --------------An HTML attachment was scrubbed...URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190209/c7b5f81e/attachment.html------------------------------Subject: Digest Footer_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-devel------------------------------End of Snort-devel Digest, Vol 20, Issue 2******************************************------------------------------ Message: 3 Date: Mon, 11 Feb 2019 09:36:23 -0500 From: Russ <rucombs () cisco com> To: snort-devel () lists snort org Subject: Re: [Snort-devel] Snort-devel Digest, Vol 20, Issue 2 Message-ID: <39c7db5c-2d8e-e871-f098-9ebad0064f20 () cisco com> Content-Type: text/plain; charset=utf-8; format=flowed Commenting out the rule will disable it completely.? Make sure you are not also setting ips.enable_builtin_rules = true.? That setting is just to enable the builtin rules w/o using the rule stubs. On 2/11/19 3:35 AM, Thanos Constantopoulos via Snort-devel wrote:Hello RussYes these are built in rules and i was trying to also add a globalsuppresion for all signatures. I tried to comment the signature fromthe builtin rules but that didn't work.Can you please explain a bit more about the multiple policies? How cani implement this?On Fri, Feb 8, 2019 at 11:30 PM <snort-devel-request () lists snort org>wrote:Send Snort-devel mailing list submissions tosnort-devel () lists snort orgTo subscribe or unsubscribe via the World Wide Web, visithttps://lists.snort.org/mailman/listinfo/snort-develor, via email, send a message with subject or body 'help' tosnort-devel-request () lists snort orgYou can reach the person managing the list atsnort-devel-owner () lists snort orgWhen replying, please edit your Subject line so it is more specificthan "Re: Contents of Snort-devel digest..."Today's Topics:1. Re: Help with Suppression (Russ)2. Re: Help with Suppression (Tim Townsend)3. Re: Help with Suppression (lbelyeu71 () gmail com)4. remove from list (Aaron Taylor)5. Fwd: remove from list (Mel Griffiths)----------------------------------------------------------------------Message: 1Date: Fri, 8 Feb 2019 12:29:19 -0500From: Russ <rucombs () cisco com>To: snort-devel () lists snort orgSubject: Re: [Snort-devel] Help with SuppressionMessage-ID: <c9cc45b0-8f82-cc40-5b0d-7b877991619a () cisco com>Content-Type: text/plain; charset=utf-8; format=flowedHey Thanos,You can only set one suppression per gid:sid pair so you can't at themoment fully exclude a gid:sid by suppression.Are the alerts you are trying to suppress with 0:0 based on builtinrules?? You may be able configure multiple policies differently to workaround some cases.Also, I'm curious about your suppression of 119:225 and 119:228. Can youshare any data on those like -A cmg output or maybe a pcap?ThanksRussOn 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:Hello All,We are running Snort3.0.0-250 as IDS and we are trying to suppressseveral IP addresses from the logs (global suppression from allsignatures). In order to perform this for specific IP addresses bysource we add the below under snort.luasuppress ={{ gid = 119, sid = 228 },{ gid = 119, sid 225 },{ gid = 0, sid =0, track = by_src, ip = '10.10.10.10', ip ='192.168.10.10' },}My questions are:- Is there a way to use additional suppresion rules to cover by_srcwith the same gid and sid?- Is there a way to use additional suppresion rules to cover by_srcand by_dst, to totally exluded a subnet or IP address?_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!------------------------------Message: 2Date: Fri, 8 Feb 2019 17:28:12 +0000From: Tim Townsend <Tim () SaifulBouquet com>To: "snort-devel () lists snort org" <snort-devel () lists snort org>Subject: Re: [Snort-devel] Help with SuppressionMessage-ID:<abdb6d7cf9d44774ad0e4d28ef410cef@Mail.SaifulBouquet.local>Content-Type: text/plain; charset="utf-8"I have removed myself from this group several times through the websitebut I am still getting emails. Can someone please remove me?ThanksTIM TOWNSENDIT Director-----Original Message-----From: Snort-devel [mailto:snort-devel-bounces () lists snort org] OnBehalf Of Russ via Snort-develSent: Friday, February 08, 2019 9:29 AMTo: snort-devel () lists snort orgSubject: Re: [Snort-devel] Help with SuppressionHey Thanos,You can only set one suppression per gid:sid pair so you can't at themoment fully exclude a gid:sid by suppression.Are the alerts you are trying to suppress with 0:0 based on builtinrules?? You may be able configure multiple policies differently to work around some cases.Also, I'm curious about your suppression of 119:225 and 119:228. Canyou share any data on those like -A cmg output or maybe a pcap?ThanksRussOn 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:Hello All,We are running Snort3.0.0-250 as IDS and we are trying to suppressseveral IP addresses from the logs (global suppression from allsignatures). In order to perform this for specific IP addresses bysource we add the below under snort.luasuppress ={{ gid = 119, sid = 228 },{ gid = 119, sid 225 },{ gid = 0, sid =0, track = by_src, ip = '10.10.10.10', ip ='192.168.10.10' }, }My questions are:- Is there a way to use additional suppresion rules to cover by_srcwith the same gid and sid?- Is there a way to use additional suppresion rules to cover by_srcand by_dst, to totally exluded a subnet or IP address?_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!------------------------------Message: 3Date: Fri, 8 Feb 2019 19:35:15 +0000 (UTC)From: "lbelyeu71 () gmail com" <lbelyeu71 () gmail com>To: "snort-devel () lists snort org" <snort-devel () lists snort org>, TimTownsend <Tim () SaifulBouquet com>Subject: Re: [Snort-devel] Help with SuppressionMessage-ID: <204005713.560161.1549654515221 () mail yahoo com>Content-Type: text/plain; charset="utf-8"Please remove me as well. No longer in this Profession.On Friday, February 8, 2019, 11:35:47 AM CST, Tim Townsend<Tim () SaifulBouquet com> wrote:I have removed myself from this group several times through thewebsite but I am still getting emails. Can someone please remove me?ThanksTIM TOWNSENDIT Director-----Original Message-----From: Snort-devel [mailto:snort-devel-bounces () lists snort org] OnBehalf Of Russ via Snort-develSent: Friday, February 08, 2019 9:29 AMTo: snort-devel () lists snort orgSubject: Re: [Snort-devel] Help with SuppressionHey Thanos,You can only set one suppression per gid:sid pair so you can't at themoment fully exclude a gid:sid by suppression.Are the alerts you are trying to suppress with 0:0 based on builtinrules?? You may be able configure multiple policies differently to work around some cases.Also, I'm curious about your suppression of 119:225 and 119:228. Canyou share any data on those like -A cmg output or maybe a pcap?ThanksRussOn 2/8/19 5:04 AM, Thanos Constantopoulos via Snort-devel wrote:Hello All,We are running Snort3.0.0-250 as IDS and we are trying to suppressseveral IP addresses from the logs (global suppression from allsignatures). In order to perform this for specific IP addresses bysource we add the below under snort.luasuppress ={{ gid = 119, sid = 228 },{ gid = 119, sid 225 },{ gid? = 0, sid =0, track = by_src, ip = '10.10.10.10', ip ='192.168.10.10' }, }My questions are:- Is there a way to use additional suppresion rules to cover by_srcwith the same gid and sid?- Is there a way to use additional suppresion rules to cover by_srcand by_dst, to totally exluded a subnet or IP address?_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!-------------- next part --------------An HTML attachment was scrubbed...URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190208/d8a011bc/attachment-0001.html------------------------------Message: 4Date: Fri, 8 Feb 2019 17:04:08 -0500From: Aaron Taylor <aaroncurtistaylor () gmail com>To: snort-devel () lists snort orgSubject: [Snort-devel] remove from listMessage-ID:<CABU9SvWQWX2VdRZ+CvEn2fg-J14VHd3xazC-oY=bFLxEy4_a4g () mail gmail com>Content-Type: text/plain; charset="UTF-8"I have also unsubscribed but somehow still getting emails. Pleaseremove me from the list.------------------------------Message: 5Date: Sat, 9 Feb 2019 15:25:50 +0800From: Mel Griffiths <melsphonemail () gmail com>To: snort-devel () lists snort orgSubject: [Snort-devel] Fwd: remove from listMessage-ID:<CA+0kOjcT5=Z+OtBMRQrn=gEusuVJ7zsibtKgvNfc03MGdou7VQ () mail gmail com>Content-Type: text/plain; charset="utf-8"Could you please also remove me from this list?Thanks.---------- Forwarded message ---------From: Aaron Taylor via Snort-devel <snort-devel () lists snort org>Date: Sat, 9 Feb. 2019, 06:06Subject: [Snort-devel] remove from listTo: <snort-devel () lists snort org>I have also unsubscribed but somehow still getting emails. Pleaseremove me from the list._______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!-------------- next part --------------An HTML attachment was scrubbed...URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190209/c7b5f81e/attachment.html------------------------------Subject: Digest Footer_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-devel------------------------------End of Snort-devel Digest, Vol 20, Issue 2******************************************_______________________________________________Snort-devel mailing listSnort-devel () lists snort orghttps://lists.snort.org/mailman/listinfo/snort-develPlease visit http://blog.snort.org for the latest news about Snort!------------------------------ Subject: Digest Footer _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel ------------------------------ End of Snort-devel Digest, Vol 20, Issue 3 ****************************************** _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Help with Suppression Thanos Constantopoulos via Snort-devel (Feb 08)
- Re: Help with Suppression Russ via Snort-devel (Feb 08)
- Re: Help with Suppression Tim Townsend (Feb 08)
- Re: Help with Suppression lbelyeu71--- via Snort-devel (Feb 08)
- Re: Help with Suppression Tim Townsend (Feb 08)
- <Possible follow-ups>
- Re: Help with Suppression Thanos Constantopoulos via Snort-devel (Feb 23)
- Re: Help with Suppression Eugenio Pérez via Snort-devel (Feb 23)
- Re: Help with Suppression Russ via Snort-devel (Feb 08)