How do i suppress this rule

RonpfS

http://forum.pfsense.org/index.php/topic,41533.msg220902.html#msg220902

ipv6kid

BUMP

This rule is not being suppressed even though I believe I have everything correctly written in SNORT > Suppress:
suppress gen_id 120, sig_id 3

I've restarted Snort and also restarted the entire PFsense router and SNORT 2.0 is still throwing alerts for this SID.

What's the issue?

ipv6kid

I am getting the following SNORT startup message in system.log:

Nov 12 16:29:45 www snort[1955]: +–---------------------[suppression]–----------------------------------------
Nov 12 16:29:45 www snort[1955]: +–---------------------[suppression]–----------------------------------------
Nov 12 16:29:45 www snort[1955]: | none
Nov 12 16:29:45 www snort[1955]: | none
Nov 12 16:29:45 www snort[1955]: –-----------------------------------------------------------------------------
Nov 12 16:29:45 www snort[1955]: –-----------------------------------------------------------------------------

It seems that my suppression rule isn't being activated somehow…...

Cino

after you created the list, did you select that list under the interface config page?

ipv6kid

No I did not, and that seemed to be the problem. Didn't know I had to do that… thanks girlfriend!
@Cino:

after you created the list, did you select that list under the interface config page?

NightHawk007

@Cino:

after you created the list, did you select that list under the interface config page?

Where is this page located i can't seem to find it .With problem i can't search the internet at all i keep getting the rule blocked .

RonpfS

Uncheck Block offenders until you fix the suppress rule and still have internet access.

It is under Snort: Interface Edit: (If settings) Suppression and filtering

A Former User

@RonpfS:

Uncheck Block offenders until you fix the suppress rule and still have internet access.

It is under Snort: Interface Edit: (If settings) Suppression and filtering

I just have snort turned off .Tried to suppress rule and nothing works

RonpfS

Did you remove your WAN IP from the Blocked list?

A Former User

@RonpfS:

Did you remove your WAN IP from the Blocked list?

MY ip was never blocked

dwood

In the "for what it's worth category" this message, and my need to suppress it (amd64 V2.0), disappeared with an uninstall of SNORT and reinstall with the updated 2.9.1 package.

Previous to that, everything was being blocked and the event log was being flooded with HTTP_INSPECT events.

RonpfS

2011-11-12 00:05:24	Daemon.Notice	x.x.x.x	snort[33078]: | gen-id=120    sig-id=3          type=Suppress  tracking=none filtered=109

I still get them  :-[

ipv6kid

Youtube Video