Snort mailing list archives

Re: supress sid:1000002 ICMP alert

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Tue, 29 Sep 2009 10:13:50 -0600

If you want to only ignore a rule for a specific src and dst pair, then AFAIK, you need to create a PASS rule.



________________________________
From: Ron Kaye Jr [mailto:rekaye1005 () verizon net]
Sent: Tuesday, September 29, 2009 8:01 AM
To: dvenman () sourcefire com; snort-users () lists sourceforge net; ny-sug () lists snort org
Subject: [Snort-users] supress sid:1000002 ICMP alert

thx

here is my problem child
4 - 639531

2009-09-25 12:08:29

<FONT SIZE=-1>[<A HREF="signatures/1000002.txt" TARGET="_ACID_ALERT_DESC">local</A>]</FONT> <FONT SIZE=-1>[<A 
HREF="http://www.snort.org/pub-bin/sigs.cgi?sid=1:1000002"; TARGET="_ACID_ALERT_DESC">snort</A>]</FONT> Snort Alert 
[1:1000002:0]



massive numbers of these ICMP alerts
typically,     a keepalive with source/destination    router/snort server  snort server/router
but there are other src/dest which i would allow/monitor

in threshold ...
suppress gen_id 1, sig_id 1000002

would get everything

any thoughts?


do you use IDS Policy Manager (XP client)
choked on that sid of 1000005

is that a non-snort, user-defined range?

thx again

Ron Kaye Jr
914-7294734

On Sep 28, 2009, Dave Venman <dvenman () sourcefire com> wrote:
The "1" before the ":sid".

Each different event generator (rules, SO rules, preprocessors) has its own, and 1 is rules, 3 is SO rules, etc.

On 28 Sep 2009, at 18:49, Ron Kaye Jr    <rekaye1005 () verizon net<mailto:rekaye1005 () verizon net>> wrote:
see the sid, where da gid?

Ron Kaye Jr
914-7294734

On Sep 28, 2009, Dave Venman <dvenman () sourcefire com<mailto:dvenman () sourcefire com>> wrote:
If you mean, what are the SID and GID for the two rules shown,  then the "sid=" parameter in the base output gives it 
all away.

GID is 1, SID is 11974 or 11988.

2009/9/28 Ron Kaye Jr <<mailto:rekaye1005 () verizon net>rekaye1005 () verizon net<mailto:rekaye1005 () verizon net>>
next ...

how do i track done the gen_id and sid_id for my supression line in threshold.conf

my "base" output for ...


VOIP-SIP response too small
D #

Time

Triggered Signature

4 - 315702

2009-09-24 09:07:10

<FONT SIZE=-1>[<A href="<http://www.ietf.org/rfc/rfc3261.txt>http://www.ietf.org/rfc/rfc3261.txt"; 
TARGET="_ACID_ALERT_DESC">url</A>]</FONT> <FONT SIZE=-1>[<A href="signatures/11974.txt" 
TARGET="_ACID_ALERT_DESC">local</A>]</FONT> <FONT SIZE=-1>[<A 
href="<http://www.snort.org/pub-bin/sigs.cgi?sid=1:11974>http://www.snort.org/pub-bin/sigs.cgi?sid=1:11974"; 
TARGET="_ACID_ALERT_DESC">snort</A>]</FONT> VOIP-SIP response too small



VOIP-SIP From header format string attempt
D #

Time

Triggered Signature

4 - 309836

2009-09-23 16:32:43

<FONT SIZE=-1>[<A href="<http://www.ietf.org/rfc/rfc3261.txt>http://www.ietf.org/rfc/rfc3261.txt"; 
TARGET="_ACID_ALERT_DESC">url</A>]</FONT> <FONT SIZE=-1>[<A 
href="<http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/>http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/";
 TARGET="_ACID_ALERT_DESC">url</A>]</FONT> <FONT SIZE=-1>[<A href="signatures/11988.txt" 
TARGET="_ACID_ALERT_DESC">local</A>]</FONT> <FONT SIZE=-1>[<A 
href="<http://www.snort.org/pub-bin/sigs.cgi?sid=1:11988>http://www.snort.org/pub-bin/sigs.cgi?sid=1:11988"; 
TARGET="_ACID_ALERT_DESC">snort</A>]</FONT> VOIP-SIP From header format string attempt


thx

Ron Kaye Jr
914-7294734
------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
<http://p.sf.net/sfu/devconf>http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
<mailto:Snort-users () lists sourceforge net>Snort-users () lists sourceforge net<mailto:Snort-users () lists 
sourceforge net>
Go to this URL to change user options or unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Dave Venman
Security Engineer, Sourcefire
Email:     <mailto:dave.venman () sourcefire com> dave.venman () sourcefire com<mailto:dave.venman () sourcefire com>
Mobile: +44 (7917) 168068
DDI:     +44 (118) 989 8412
Fax:     +44 (118) 989 8401

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

supress sid:1000002 ICMP alert Ron Kaye Jr (Sep 29)
- Re: supress sid:1000002 ICMP alert Jefferson, Shawn (Sep 29)
  - Re: supress sid:1000002 ICMP alert Ryan Jordan (Sep 29)
    - Re: supress sid:1000002 ICMP alert Jefferson, Shawn (Sep 29)