Re: Disable sid vs. Suppress

[Joel Esler <jesler () sourcefire com>]

We have alerts that have flowbit rules that have noalert, we have flowbit rules that don't, and we have some rules that 
have two variations, one with a flowbit, and one without. 

For example, we have a rule that looks for the download of a Chrome extension. It sets a flowbit, but it's not a 
noalert. As the extension is compressed, we are providing the option for Snort I line users to block them completely. 

If you have a flowbit "set" rule that doesn't have noalert in it, and you don't want the alert, then set a suppression 
in threshold.conf. 

-- 
Joel Esler

On Sep 22, 2011, at 12:12 PM, Dave Venman <dvenman () sourcefire com> wrote:

> Most VRT rules I see with flowbits from the VRT which do the protocol/state modelling have the "noalert" in the 
> flowbit section, so there should be no need either to modify the rule nor to add a suppression for it either.
>
> Of course I'm more than welcome to be corrected . . .
>
> On 22 September 2011 17:00, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:
> Yes, but that entails changing the rule, doesn’t it? (could be wrong)  I’d rather not touch the rules as they come 
> from VRT and ET, so I have been using suppression for these.
>
>  
>
>  
>
>  
>
> From: Dave Venman [mailto:dvenman () sourcefire com] 
> Sent: Wednesday, September 21, 2011 9:25 PM
> To: Lay, James
> Cc: Jefferson, Shawn; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Disable sid vs. Suppress
>
>  
>
> Rather than suppression, the "noalert" option in the flowbits portion of the rule can do that for you, i.e. it allows 
> a rule which does detection purely to set a flowbit state (for example the flowbit client_hello in some of the ssl 
> rules, which is used later when the SSL session being inspected is more advanced in its setup ) to *not* generate an 
> event.
>
> On 21 September 2011 20:39, Lay, James <james.lay () wincofoods com> wrote:
>
>
> From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]
> Sent: Wednesday, September 21, 2011 11:34 AM
> To: Lay, James; snort-users () lists sourceforge net
> Subject: RE: Disable sid vs. Suppress
>
>
> Some rules will set flowbits for others rules to fire on, so those ones
> will have to be suppressed instead of disabled (Pulled Pork nicely
> re-enables these flowbit setting rules for you.)
>
>
>
>
> Thanks Shawn...didn't know that :)
>
>
> James
>
>  
> <cut>
>
> -- 
> Dave Venman, CISSP
> Security Engineer Manager, Sourcefire EMEA
> Email:   dave.venman () sourcefire com
> Mobile: +44 (7917) 168068
> DDI:     +44 (118) 989 8412
> Fax:     +44 (118) 989 8401
>
>
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!