Re: Fine tuning Snort

[Joel Esler <jesler () sourcefire com>]

The best examples for suppressions are in the threshold.conf file.

J

On Oct 8, 2010, at 8:47 AM, James Lay wrote:

> What the….I looked all through the snort pdf too and since I didn't see an example showing that I uh…well 
> assumed…..heh..you've saved me a BUNCH of time..thanks Scott.
>
> Jam
>
> From: ScottO <skippylou () gmail com>
> Date: Fri, 8 Oct 2010 08:31:57 -0400
> To: James Lay <jlay () slave-tothe-box net>
> Cc: Snort <snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] Fine tuning Snort
>
> James,
>
> You can specify cidr notation for address blocks in threshold.conf, something like:
>
> suppress gen_id 1, sig_id 11111, track by_src, ip 10.1.2.0/24
>
> Hope that helps,
>
> scott
>
> On Fri, Oct 8, 2010 at 8:24 AM, James Lay <jlay () slave-tothe-box net> wrote:
> > Thanks Waldo,
> >
> > It's been quite interesting...I have at least four rules that look for
> > executables...and as I look at the threshold file I can only threshold
> > against one IP at a time...meaning I've got a lot of work to do as I have
> > to add pretty much most of google and windowsupdate.com ;)  Even thought
> > I'm tempted to simply start snort to not monitor those netblocks, eh...I'd
> > rather do the right thing.
> >
> > Thanks again for the help.
> >
> > James
> >
> >
> > On 10/7/10 10:23 PM, "waldo kitty" <wkitty42 () windstream net> wrote:
> >
> > > On 10/7/2010 14:02, James Lay wrote:
> > > > Kevin and Waldo, you gents are treasuresŠI will get to work and report
> > > > my
> > > > resultsŠthank you much!
> > >
> > > something else to thing about concerning rules that you would just
> > > totally
> > > suppress in threshold.conf... if they are completely suppressed then you
> > > might
> > > as well comment them out of the rules set so they do not consume any
> > > memory and
> > > snort won't waste any time loading them just to be ignoring them... but i
> > > guess
> > > this also depends on your tools and management systems... some may use
> > > only
> > > threshold to "disable" rules where others may actually comment them in
> > > the rules
> > > sets files... personally, i think the threshold file is best to suppress
> > > certain
> > > rules for certain IPs... total suppression is the same as disabled so...
> > > ;)
> > >
> > > --------------------------------------------------------------------------
> > > ----
> > > Beautiful is writing same markup. Internet Explorer 9 supports
> > > standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> > > Spend less time writing and  rewriting code and more time creating great
> > > experiences on the web. Be a part of the beta today.
> > > http://p.sf.net/sfu/beautyoftheweb
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Beautiful is writing same markup. Internet Explorer 9 supports
> > standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> > Spend less time writing and  rewriting code and more time creating great
> > experiences on the web. Be a part of the beta today.
> > http://p.sf.net/sfu/beautyoftheweb
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ------------------------------------------------------------------------------ Beautiful is writing same markup. 
> Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time 
> writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. 
> http://p.sf.net/sfu/beautyoftheweb_______________________________________________ Snort-users mailing list 
> Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users