Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: suppressing alert...

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 22 Sep 2010 12:14:47 -0400
For the first part of your question, I prefer to do one IP per line.  That
way if I need to remove a line, I can grep for the IP, mash "dd" in vi, save
the file, and bump Snort.

As for the second part of your question, I don't know if it's a bug, and I
don't have the time right this second to test to see if I get the same
result.  Maybe someone else can test and if they can replicate it, we can
file a bug to take a look.

J

On Wed, Sep 22, 2010 at 12:07 PM, waldo kitty <wkitty42 () windstream net>wrote:



no one has any comment on this??


On 9/17/2010 14:39, waldo kitty wrote:


if you have more than one IP that you want to suppress an alert for, is

it

better to use multiple lines or list all the addresses (and CIDRs) on one

line?


example 1:
suppress gen_id 1, sig_id 1, track by_src, ip 1.1.1.1
suppress gen_id 1, sig_id 1, track by_src, ip 2.2.2.2


example 2:
suppress gen_id 1, sig_id 1, track by_src, ip [1.1.1.1,2.2.2.2]


i'm undecided and tend to lean more toward example 1 mainly due to the
manageability aspects... consider a large list of IPs and trying to

locate and

remove just one...


in using the example 1 format, i note that snort 2.8.6.1 shows two

suppression

lines exactly the same but displays "<list>" for the IPs instead of

listing the

actual IPs and/or CIDRs given...

[quote]
Sep 17 14:02:50 perseus snort[14304]:


+-----------------------[suppression]------------------------------------------

Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
tracking=src-ip=<list>
Sep 17 14:02:50 perseus snort[14304]: | gen-id=1      sig-id=1
tracking=src-ip=<list>
Sep 17 14:02:50 perseus snort[14304]:


-------------------------------------------------------------------------------

[/quote]

using the example 2 format gets one line but still displays "<list>"

instead of

the actual IPs and/or CIDRs...

BUG??




------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: