Snort mailing list archives
Re: Suppress not suppresing all alerts for specific gen_id, only a few.
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 12 Jun 2013 08:13:33 -0600
Quick workaround, threshold them out: suppress gen_id 138, sig_id 5 James On Jun 12, 2013, at 7:46 AM, Agus <agus.262 () gmail com> wrote:
Hi guys, Here are the tests... any help is appreciated. snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.4.6 GRE (Build 73) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.3.0 Using PCRE version: 6.6 06-Feb-2006 Using ZLIB version: 1.2.3 +-----------------------[filtered events]-------------------------------------- | gen-id=1 sig-id=2014726 type=Limit tracking=src count=1 seconds=60 filtered=4 | gen-id=119 sig-id=31 type=Suppress tracking=none filtered=54 | gen-id=119 sig-id=19 type=Suppress tracking=none filtered=337 | gen-id=119 sig-id=32 type=Suppress tracking=none filtered=69 | gen-id=120 sig-id=8 type=Suppress tracking=none filtered=129 | gen-id=120 sig-id=6 type=Suppress tracking=none filtered=18 | gen-id=120 sig-id=3 type=Suppress tracking=none filtered=114 Snort exiting [snort01 snort]# cat alert|grep "138:5"|wc -l 492 [snort01 snort]# rm alert Now i apply the suppress +-----------------------[filtered events]-------------------------------------- | gen-id=1 sig-id=2014726 type=Limit tracking=src count=1 seconds=60 filtered=4 | gen-id=119 sig-id=32 type=Suppress tracking=none filtered=69 | gen-id=119 sig-id=19 type=Suppress tracking=none filtered=337 | gen-id=119 sig-id=31 type=Suppress tracking=none filtered=54 | gen-id=120 sig-id=6 type=Suppress tracking=none filtered=18 | gen-id=120 sig-id=3 type=Suppress tracking=none filtered=114 | gen-id=120 sig-id=8 type=Suppress tracking=none filtered=129 | gen-id=138 sig-id=5 type=Suppress tracking=none filtered=419 Snort exiting [snort01 snort]# cat alert|grep "138:5"|wc -l 63 Also its worth mentioning that all alerts regarding [**] [138:5:1] SENSITIVE-DATA Email Addresses [**] are all false positives as information shown in the pcap is encrypted. Thanks! ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Suppress not suppresing all alerts for specific gen_id, only a few. Agus (Jun 12)
- Re: Suppress not suppresing all alerts for specific gen_id, only a few. James Lay (Jun 12)
- Re: Suppress not suppresing all alerts for specific gen_id, only a few. Joel Esler (Jun 12)