Snort mailing list archives
Re: Suppressing the SCAN UPnP service alerts
From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 25 Jun 2014 13:08:34 -0400
On 6/25/2014 2:14 AM, basant subba wrote:
When I run snort, I get a lot of "SCAN UPnP service discover attempt" alerts with SID 1917? How do I suppress this alert? Which .rules file contains the signature corresponding to this alarm? Also is it something I should keep track of?
do you want to suppress it or stop it? suppressing means that it is still processed (unless i'm misunderstanding something) but the action (alert, drop, etc) is not performed... stopping it means disabling it... finding a rule is as easy as using a text search tool like grep... this is a script i use on my boxen... $ cat lookuprule #! /bin/bash # lookuprule bash script to find snort rules by sid grep -i -E "sid:\W*$1;" /path/to/snort/*rules*/*.rules use it like ./lookuprule 1917 it searches all rules directories under /path/to/snort and all the rules files in those directories... a manually typed command line would be grep -i -E "sid:\W*1917;" /path/to/snort/*rules*/*.rules once you find the rule file's name, then edit it to comment out (#) that rule... if you use tools like oinkmaster and pulledpork, they have a disablesid section where you list the SIDs of the rules you do not want active. they will ensure that these rules are always inactive when you use them to update your rules... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Suppressing the SCAN UPnP service alerts basant subba (Jun 24)
- Re: Suppressing the SCAN UPnP service alerts Avery Rozar (Jun 25)
- Re: Suppressing the SCAN UPnP service alerts basant subba (Jun 25)
- Re: Suppressing the SCAN UPnP service alerts basant subba (Jun 25)
- Re: Suppressing the SCAN UPnP service alerts basant subba (Jun 25)
- Re: Suppressing the SCAN UPnP service alerts Joel Esler (jesler) (Jun 25)
- Re: Suppressing the SCAN UPnP service alerts waldo kitty (Jun 25)
- Re: Suppressing the SCAN UPnP service alerts basant subba (Jun 25)
- Re: Suppressing the SCAN UPnP service alerts Avery Rozar (Jun 25)