Snort mailing list archives
RES: Snort - http_inspect
From: "Hugo Leonardo Ferrer Rebello" <Hugo.Rebello () t-systems com br>
Date: Thu, 16 Jul 2009 15:14:48 -0300
Could you help to understand gen_id and sig_id from suppress sintaxe ? I created the rules below, but it's not working. suppress gen_id 119, sig_id 16, track by_src, ip 10.58.xxx.xxx suppress gen_id 119, sig_id 18, track by_src, ip 10.58.xxx.xxx suppress gen_id 122, sig_id 27, track by_src, ip 10.58.xxx.xxx suppress gen_id 1, sig_id 1200, track by_src, ip 10.58.xxx.xxx suppress gen_id 1, sig_id 1201, track by_src, ip 10.58.xxx.xxx suppress gen_id 1, sig_id 12198, track by_src, ip 10.58.xxx.xxx suppress gen_id 1, sig_id 13948, track by_src, ip 10.58.xxx.xxx suppress gen_id 119, sig_id 19, track by_src, ip 10.248.xxx.xxx suppress gen_id 122, sig_id 27, track by_src, ip 10.248.xxx.xxx suppress gen_id 1, sig_id 1200, track by_src, ip 10.248.xxx.xxx suppress gen_id 1, sig_id 1201, track by_src, ip 10.248.xxx.xxx Look at the alerts below. #0-(1-22) <http://10.58.58.29/base/base_qry_alert.php?submit=%230-%281-22%29&sort_order=time_d> [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-5583> ] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2006-5583> ] [local <http://10.58.58.29/base/signatures/12198.txt> ] [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1:12198> ] SNMP MS Windows getbulk request 2009-07-16 15:07:07 10.58.xxx.xxx:1158 10.10.xxx.xxx:161 UDP #1-(1-21) <http://10.58.58.29/base/base_qry_alert.php?submit=%231-%281-21%29&sort_order=time_d> [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-5583> ] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2006-5583> ] [local <http://10.58.58.29/base/signatures/12198.txt> ] [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1:12198> ] SNMP MS Windows getbulk request 2009-07-16 15:07:07 10.58.xxx.xxx:1155 10.10.xxx.xxx:161 UDP #2-(1-20) <http://10.58.58.29/base/base_qry_alert.php?submit=%232-%281-20%29&sort_order=time_d> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=119:18> ] (http_inspect) WEBROOT DIRECTORY TRAVERSAL 2009-07-16 15:07:04 10.58.xxx.xxx:1149 10.10.xxx.xxx:161 UDP #7-(1-15) <http://10.58.58.29/base/base_qry_alert.php?submit=%237-%281-15%29&sort_order=time_d> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=122:27> ] (portscan) Open Port 2009-07-16 15:06:58 10.58.xxx.xxx:1095 172.29.xxx.xxx:161 UDP #8-(1-14) <http://10.58.58.29/base/base_qry_alert.php?submit=%238-%281-14%29&sort_order=time_d> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=122:27> ] (portscan) Open Port 2009-07-16 15:06:58 10.58.xxx.xxx:1083 172.29.xxx.xxx:161 UDP #9-(1-13) <http://10.58.58.29/base/base_qry_alert.php?submit=%239-%281-13%29&sort_order=time_d> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=122:1> ] (portscan) TCP Portscan 2009-07-16 15:06:58 10.58.xxx.xxx:1082 172.29.xxx.xxx:161 UDP #10-(1-9) <http://10.58.58.29/base/base_qry_alert.php?submit=%2310-%281-9%29&sort_order=time_d> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=122:1> ] (portscan) TCP Portscan 2009-07-16 15:06:58 10.58.xxx.xxx:1042 172.29.xxx.xxx:161 UDP #0-(1-33) <http://10.58.58.29/base/base_qry_alert.php?submit=%230-%281-33%29&sort_order=time_d> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=119:7> ] (http_inspect) IIS UNICODE CODEPOINT ENCODING 2009-07-16 15:07:31 10.248.xxx.xxx:80 10.58.xxx.xxx:2067 TCP #1-(1-32) <http://10.58.58.29/base/base_qry_alert.php?submit=%231-%281-32%29&sort_order=time_d> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=119:18> ] (http_inspect) WEBROOT DIRECTORY TRAVERSAL 2009-07-16 15:07:27 10.248.xxx.xxx:80 10.58.xxx.xxx:2067 TCP ________________________________ De: jcummings () sourcefire com [mailto:jcummings () sourcefire com] Em nome de JJ Cummings Enviada em: quinta-feira, 16 de julho de 2009 13:53 Para: Hugo Leonardo Ferrer Rebello Cc: snort-users () lists sourceforge net Assunto: Re: [Snort-users] Snort - http_inspect Then do exactly what Joel said.. you need to suppress them On Thu, Jul 16, 2009 at 10:39 AM, Hugo Leonardo Ferrer Rebello <Hugo.Rebello () t-systems com br> wrote: I'm trying to avoid alerts from these hosts. ________________________________ De: jcummings () sourcefire com [mailto:jcummings () sourcefire com] Em nome de JJ Cummings Enviada em: quinta-feira, 16 de julho de 2009 12:59 Para: Hugo Leonardo Ferrer Rebello Cc: snort-users () lists sourceforge net Assunto: Re: [Snort-users] Snort - http_inspect Are you trying to avoid alerts from these hosts, or do you genuinely want to not have the data pass through the http_inspect preprocessor for some specific reason? On Thu, Jul 16, 2009 at 9:39 AM, Hugo Leonardo Ferrer Rebello <Hugo.Rebello () t-systems com br> wrote: Hello guys, Do you know how to ignore some source hosts from preprocessor http_inspect ? Is it possible ? Thank you. Cheers, Hugo Rebello Security Specialist T-Systems do Brasil Ltda E-Mail: hugo.rebello () t-systems com br www.t-systems.com.br ´Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor, avise imediatamente o remetente, respondendo o e-mail e em seguida apague-a. Agradecemos a sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 16)
- Re: Snort - http_inspect JJ Cummings (Jul 16)
- RES: Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 16)
- Re: Snort - http_inspect JJ Cummings (Jul 16)
- RES: Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 16)
- RES: Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 16)
- Re: RES: Snort - http_inspect Nerijus Krukauskas (Jul 16)
- Re: RES: Snort - http_inspect Matt Olney (Jul 17)
- Re: RES: Snort - http_inspect Nerijus Krukauskas (Jul 17)
- Re: RES: Snort - http_inspect Matt Olney (Jul 17)
- RES: RES: Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 17)
- Re: RES: Snort - http_inspect Matt Olney (Jul 17)
- RES: RES: Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 17)
- RES: Snort - http_inspect Hugo Leonardo Ferrer Rebello (Jul 16)
- Re: Snort - http_inspect JJ Cummings (Jul 16)