IDS mailing list archives

Re: Snort Network Suppression

From: Ureleet <ureleet () gmail com>
Date: Mon, 17 Dec 2007 12:22:22 -0500

latest stable is 2.8.0.1.  look it up.  www.snort.org

you should compile snort anyway imnsho.  why rely on a package that
someone put together.  just compile snort and go with it.

On Dec 15, 2007 5:52 AM, Matteo Ignaccolo <matteo.ignaccolo () gmail com> wrote:

Jonathan Askew JBASKEW wrote:

I am new to IDS and have just set up snort on a ubuntu host.


Which snort version?
On debian and debian based distros, as ubuntu, yuo will find only old
versions of snort.
For example, this summer on official ubuntu mirror was available
Snort 2.3.3, when the latest STABLE release was the 2.7
IMHO the best way to use snort on ubuntu is compile latest stable
release.

It has worked
well except for the fact that I am getting some false positivies
from local
traffic on the network.


Have you set the proper rules set for your network?

I want to set a rule in order to suppress/ignore local network
traffic for 192.168.1.0/24.
I know this can be done in the /etc/threshold.conf file but have
not been
able to do so successfully.


The correct solution is the tip in Boogie B. answer.
If I remember well, during installation you set your internal network
IP address and subnet, but the external net is sets to "any" as default
Remember that is not a good choice suppress all traffic from internal
host, because you'll be not able to detect anomaly activity that
starts from internal host.

--
Matteo Ignaccolo




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Snort Network Suppression Jonathan Askew JBASKEW (Dec 14)
- RE: Snort Network Suppression Michael LaSalvia (Dec 14)
- Re: Snort Network Suppression Boogie B. (Dec 14)
  - Message not available
    - Re: Snort Network Suppression Jonathan Askew JBASKEW (Dec 17)
- Re: Snort Network Suppression Ngot (Dec 17)
- Re: Snort Network Suppression Alexander Bondarenko (Dec 17)
  - Re: Snort Network Suppression Jamie Riden (Dec 17)
- Re: Snort Network Suppression Jamie Riden (Dec 17)
- Re: Snort Network Suppression Matteo Ignaccolo (Dec 17)
  - Re: Snort Network Suppression Ureleet (Dec 17)