Home page logo
/

snort logo Snort mailing list archives

Re: Suppress not suppresing all alerts for specific gen_id, only a few.
From: Agus <agus.262 () gmail com>
Date: Wed, 12 Jun 2013 11:59:51 -0300

Thanks guys..

James: that's what i did in between the tests as it shows in the output.
But still receiving some alerts on that gen_id.. Fewer, but still some.
thats what i dont understand.

Joel: Yes. i will probably end up disabling the preprocessor for that. but
just dont understand why suppress doesn't supress all alerts on same gen_id
if put in threshold.conf :S

I will try to test another preprocessor to see if it has the same issue.


2013/6/12 Joel Esler <jesler () sourcefire com>

Why don you just turn off the alert in the snort.conf?

--
*Joel Esler*

On Jun 12, 2013, at 9:46 AM, Agus <agus.262 () gmail com> wrote:

Hi guys,

Here are the tests... any help is appreciated.

snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.4.6 GRE (Build 73)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 6.6 06-Feb-2006
           Using ZLIB version: 1.2.3


+-----------------------[filtered
events]--------------------------------------
| gen-id=1      sig-id=2014726    type=Limit     tracking=src count=1
seconds=60  filtered=4
| gen-id=119    sig-id=31         type=Suppress  tracking=none filtered=54
| gen-id=119    sig-id=19         type=Suppress  tracking=none filtered=337
| gen-id=119    sig-id=32         type=Suppress  tracking=none filtered=69
| gen-id=120    sig-id=8          type=Suppress  tracking=none filtered=129
| gen-id=120    sig-id=6          type=Suppress  tracking=none filtered=18
| gen-id=120    sig-id=3          type=Suppress  tracking=none filtered=114
Snort exiting
[snort01 snort]# cat alert|grep "138:5"|wc -l
492
[snort01 snort]# rm alert


Now i apply the suppress

+-----------------------[filtered
events]--------------------------------------
| gen-id=1      sig-id=2014726    type=Limit     tracking=src count=1
seconds=60  filtered=4
| gen-id=119    sig-id=32         type=Suppress  tracking=none filtered=69
| gen-id=119    sig-id=19         type=Suppress  tracking=none filtered=337
| gen-id=119    sig-id=31         type=Suppress  tracking=none filtered=54
| gen-id=120    sig-id=6          type=Suppress  tracking=none filtered=18
| gen-id=120    sig-id=3          type=Suppress  tracking=none filtered=114
| gen-id=120    sig-id=8          type=Suppress  tracking=none filtered=129
| gen-id=138    sig-id=5          type=Suppress  tracking=none filtered=419
Snort exiting
[snort01 snort]# cat alert|grep "138:5"|wc -l
63


Also its worth mentioning that all alerts regarding
[**] [138:5:1] SENSITIVE-DATA Email Addresses [**] are all false positives
as information shown in the pcap is encrypted.

Thanks!



------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault