Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Converting pass to suppress rules

From: "Stephen Reese" <rsreese () gmail com>
Date: Tue, 28 Oct 2008 10:22:35 -0400
I'm would like to make sure I have a firm grasp on suppression before
utilizing it in production. Here are my proposed changes. I understand
that snort will continue to evaluate a packet even if suppress
statement is fired but I was to make sure that I'm not over utilizing
it. I really wish you could use src and dst or variables with
suppression but I guess that keep them simple.

var HOME_NET [172.31.1.0/24,172.31.2.0/24,172.31.3.0/24,172.31.4.0/24,172.31.5.0/24]
var EXTERNAL_NET any
var ROLAC [172.31.1.0/24]
var 3825ROUTER [172.31.1.1/32]
var DI200 [172.31.1.223/32,172.31.1.240/32]


#Ignore redirects from the main router to the internet router
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Protocol Unreachable"; icode:2; itype:3;
reference:cve,2004-0790; reference:cve,2005-0068;
classtype:misc-activity; sid:404; rev:7;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect
net"; icode:0; itype:5; reference:arachnids,199;
reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:5;)

pass icmp $3825ROUTER any -> $ROLAC any (msg:"ICMP Destination
Unreachable Protocol Unreachable"; icode:2; itype:3; sid:1000000;)
pass icmp $3825ROUTER any -> $ROLAC any (msg:"ICMP redirect net";
icode:0; itype:5; sid:1000001;)

suppress gen_id 1, sig_id 404, track by_src, ip 172.31.1.0/21
suppress gen_id 1, sig_id 473, track by_src, ip 172.31.1.0/21

#Chatty Minolta copiers
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Protocol Unreachable"; icode:2; itype:3;
reference:cve,2004-0790; reference:cve,2005-0068;
classtype:misc-activity; sid:404; rev:7;)

pass icmp $DI200 any -> $3825ROUTER any (msg:"ICMP redirect net";
icode:0; itype:5; sid:1000002;)
pass icmp $DI200 any -> $3825ROUTER any (msg:"ICMP Destination
Unreachable Protocol Unreachable"; icode:2; itype:3; sid:1000003;)

suppress gen_id 1, sig_id 404, track by_src, ip 172.31.1.223
suppress gen_id 1, sig_id 404, track by_src, ip 172.31.1.240
suppress gen_id 1, sig_id 473, track by_src, ip 172.31.1.223
suppress gen_id 1, sig_id 473, track by_src, ip 172.31.1.240

#Who cares if internal hosts are pinging each other
pass icmp $HOME_NET any -> $HOME_NET any (msg:"ICMP Echo Reply";
icode:0; itype:0; sid:1000004;)
pass icmp $HOME_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0;
itype:8; sid:1000005;)

This one I can't figure out because we want to know if a host may be
pinging the outside world for example a flood of ICMP PING packets to
some where outside our 172.31.1.0

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: