Snort mailing list archives

Re: Supressing alert

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Mon, 29 Jun 2009 12:24:18 -0600

Hi,

When I try this, I get an error message about the rule with the same GID/SID being redefined with a different type.  I 
changed the SID to something in the 1 million range, and Snort loads correctly.

I defined this in local.rules:

pass tcp 10.0.0.1 any -> 10.0.0.2 any (msg:"ET ATTACK_RESPONSE Adenau Shellcode False Positive"; content:"|eb 19 5e 31 
c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; classtype:shellcode-detect; 
reference:url,doc.emergingthreats.net/2009249; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; 
sid:1500000; rev:2;)

Is that the best method for ignoring this one specific src/dst pair for this specific detection with Snort? (I don't 
want Snort to ignore all traffic going between these two machines.)


-----Original Message-----
From: Shenk, Jerry A [mailto:jshenk () decommunications com] 
Sent: June 26, 2009 11:34 AM
To: Jefferson, Shawn; Snort Users
Subject: RE: [Snort-users] Supressing alert

No, you can specify source and destination...something like:

Var SNMP_MONITORS [192.168.1.1, 192.168.1.2]
pass SNMP_MONITORS any -> HOME_NET 161 (msg:"INTERNAL SNMP monitor";
sid:1417; rev:2; classtype:attempted-recon;)

Something like that...  In this case, the sid refers to the "original
rule" that this is an exclusion for.

-----Original Message-----
From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] 
Sent: Friday, June 26, 2009 1:53 PM
To: Snort Users
Subject: [Snort-users] Supressing alert

Hi,
 
I want to suppress an alert, but only from a specific src to a specific
dst.  Looking at the documentation for alert suppression, it looks like
you can either use track by_src OR by_dst.  What's the best way to do
this?
 
Thanks,
 
-- 
Shawn

 
 

**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Supressing alert Jefferson, Shawn (Jun 26)
- Re: Supressing alert Joel Esler (Jun 26)
- Re: Supressing alert Shenk, Jerry A (Jun 26)
  - Re: Supressing alert Jefferson, Shawn (Jun 29)
- Re: Supressing alert Tommie Giles (Jun 26)