Thresholds tab in snort - suppress not stopping alerts
-
Hai, I am having following configuration,
PFsense Ver: 1.2.3-RELEASE
Snort: Snort 2.8.5.3 pkg v. 1.24In Suppress Tab, I added following entries
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 13
suppress gen_id 119, sig_id 14and restarted the snort, but still alert is generated and related ip (computer) gets blocked.
Earlier V.1.22, i added these to threshold.conf of each interface and it worked.
Should I do the same in this snort package version also? -
Hai, I am having following configuration,
PFsense Ver: 1.2.3-RELEASE
Snort: Snort 2.8.5.3 pkg v. 1.24In Suppress Tab, I added following entries
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 13
suppress gen_id 119, sig_id 14and restarted the snort, but still alert is generated and related ip (computer) gets blocked.
Earlier V.1.22, i added these to threshold.conf of each interface and it worked.
Should I do the same in this snort package version also?Make sure you select the suppress list at the interface edit tab.
James
-
Thanks James,
I am sorry to disturbing you. It is my fault to raise the question without studying the interface.
I selected the suppression file in interface tab (IF settings) and now it works fine.
Thank you once again.
-
James,
It seems these 2 suppress rules cannot supress. I am still getting alert and block on these:
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 14Davc
-
James,
It seems these 2 suppress rules cannot suppress. I am still getting alert and block on these:
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 14Davc
suppress gen_id 119, sig_id 4 http_inspect: BARE BYTE UNICODE ENCODING
I think thats a flash false positive.
Make sure you restart snort after you have these settings entered.
James
-
Wow I feel like an idiot that I did not see that before. I guess I believed the drop down menus only had Default like my Home Net and external net has and ignored the rest while completely ignoring the fine text which is quite small on my laptop…. duuurr