Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata/Snort master SID disablesid.conf

    Scheduled Pinned Locked Moved IDS/IPS
    96 Posts 38 Posters 106.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Clear-Pixel
      last edited by

      Could more people with snort/security experience confirm that this list would not compromise a home network environment.

      HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
      Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
      Single Ethernet Port - VLAN
      Cisco SG300 10-port Gigabit Managed Switch
      Cisco DPC3008 Cable Modem  30/4 Mbps
      Pfsense 2.1-RELEASE (amd64)
      –------------------------------------------------------------
      Total Network Power Consumption - 29 Watts

      1 Reply Last reply Reply Quote 0
      • L
        lindsay
        last edited by

        I am using it with snort vrt and emergingthreats pro

        But i wonder what those are for?

        suppress gen_id 1, sig_id 536
        suppress gen_id 1, sig_id 648
        suppress gen_id 1, sig_id 8375
        suppress gen_id 1, sig_id 11192
        suppress gen_id 1, sig_id 12286
        suppress gen_id 1, sig_id 15147
        suppress gen_id 1, sig_id 15306
        suppress gen_id 1, sig_id 15362
        suppress gen_id 1, sig_id 17458
        suppress gen_id 1, sig_id 20583
        suppress gen_id 1, sig_id 2000334
        suppress gen_id 1, sig_id 2010516
        suppress gen_id 1, sig_id 2012088
        suppress gen_id 1, sig_id 2013222
        suppress gen_id 1, sig_id 2014819
        suppress gen_id 1, sig_id 2014520
        suppress gen_id 1, sig_id 2101390
        suppress gen_id 1, sig_id 2103134
        suppress gen_id 1, sig_id 2500056
        suppress gen_id 119, sig_id 2
        suppress gen_id 119, sig_id 4
        suppress gen_id 119, sig_id 14
        suppress gen_id 119, sig_id 31
        suppress gen_id 119, sig_id 32
        suppress gen_id 120, sig_id 2
        suppress gen_id 120, sig_id 3
        suppress gen_id 120, sig_id 4
        suppress gen_id 120, sig_id 6
        suppress gen_id 120, sig_id 8
        suppress gen_id 120, sig_id 9
        suppress gen_id 122, sig_id 19
        suppress gen_id 122, sig_id 21
        suppress gen_id 122, sig_id 22
        suppress gen_id 122, sig_id 23
        suppress gen_id 122, sig_id 26
        suppress gen_id 137, sig_id 1
        

        I like to have a comment  for why this is excluded from the snort.conf alert/block

        Fiberline 500/500Mbps
        Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz

        1 Reply Last reply Reply Quote 0
        • D
          dshin879
          last edited by

          thats alot of suppressions for normal use.

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            I believe that rules should be disabled first before using a suppression. I only use a suppression if I want to configure a rule for a particular IP.

            Pre-Processors (ssp_ssl, spp_sip, spp_gtp, http_inspect, smtp etc…) would also need to be suppressed as needed.

            Either way, Disabling Rules or Suppressing Rules opens up your network to potential harm. I have installed a Full Packet Capture IDS system called "Security Onion" installed immediately behind pfSense so any rules that I have disabled or suppressed can be looked at in more detail.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • A
              asterix
              last edited by

              @lindsay:

              I am using it with snort vrt and emergingthreats pro

              But i wonder what those are for?

              suppress gen_id 1, sig_id 536
              suppress gen_id 1, sig_id 648
              suppress gen_id 1, sig_id 8375
              suppress gen_id 1, sig_id 11192
              suppress gen_id 1, sig_id 12286
              suppress gen_id 1, sig_id 15147
              suppress gen_id 1, sig_id 15306
              suppress gen_id 1, sig_id 15362
              suppress gen_id 1, sig_id 17458
              suppress gen_id 1, sig_id 20583
              suppress gen_id 1, sig_id 2000334
              suppress gen_id 1, sig_id 2010516
              suppress gen_id 1, sig_id 2012088
              suppress gen_id 1, sig_id 2013222
              suppress gen_id 1, sig_id 2014819
              suppress gen_id 1, sig_id 2014520
              suppress gen_id 1, sig_id 2101390
              suppress gen_id 1, sig_id 2103134
              suppress gen_id 1, sig_id 2500056
              suppress gen_id 119, sig_id 2
              suppress gen_id 119, sig_id 4
              suppress gen_id 119, sig_id 14
              suppress gen_id 119, sig_id 31
              suppress gen_id 119, sig_id 32
              suppress gen_id 120, sig_id 2
              suppress gen_id 120, sig_id 3
              suppress gen_id 120, sig_id 4
              suppress gen_id 120, sig_id 6
              suppress gen_id 120, sig_id 8
              suppress gen_id 120, sig_id 9
              suppress gen_id 122, sig_id 19
              suppress gen_id 122, sig_id 21
              suppress gen_id 122, sig_id 22
              suppress gen_id 122, sig_id 23
              suppress gen_id 122, sig_id 26
              suppress gen_id 137, sig_id 1
              

              I like to have a comment  for why this is excluded from the snort.conf alert/block

              Do a search on google and you will find them.

              This is a consolidated list from users who have tested and re-tested the alerts and found them to be false positives. If you are feeling insecure by this list then please go ahead and remove them. Do your own testing and add the ones you feel are false positives.

              1 Reply Last reply Reply Quote 0
              • panzP
                panz
                last edited by

                I propose to add to the Suppress List this entry:

                #(spp_frag3) Fragmentation overlap
                suppress gen_id 123, sig_id 8

                my internal LAN has some machines that need to connect to a VPN provider (AirVPN): without this entry, the connection to the VPN servers is lost after about 10 minutes.

                pfSense 2.3.2-RELEASE-p1 (amd64)
                motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @panz:

                  I propose to add to the Suppress List this entry:

                  #(spp_frag3) Fragmentation overlap
                  suppress gen_id 123, sig_id 8

                  my internal LAN has some machines that need to connect to a VPN provider (AirVPN): without this entry, the connection to the VPN servers is lost after about 10 minutes.

                  panz:

                  There are some customizable settings for the Frag3 preprocessor that could help with your issue without having to disable the rule.  Go to the PREPROCESSORS tab and then scroll down to the Frag3 section.  Click the e icon to edit the default setting.  On the page that opens you will find a fragment overlap limit setting.  Try some other values in there if you want.  You can also create a custom Frag3 configuration just for a particular network subnet or IP address.  To do this, first create an Alias under Firewall…Aliases to identify the VPN.  Now return to the PREPROCESSORS tab and in the Frag3 section click the up-arrow icon to import a defined alias as a new Frag3 engine.  In the dialog that opens, choose the alias you created.  When back on the PREPROCESSORS tab, click the e icon beside the new Frag3 engine entry and edit the settings.

                  A number of the preprocessors offer this per-subnet or host customization of key settings.  The HTTP_INSEPCT, FRAG3, STREAM5 and both FTP-TELNET preprocessors can have multiple engines.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • panzP
                    panz
                    last edited by

                    @bmeeks:

                    @panz:

                    I propose to add to the Suppress List this entry:

                    #(spp_frag3) Fragmentation overlap
                    suppress gen_id 123, sig_id 8

                    my internal LAN has some machines that need to connect to a VPN provider (AirVPN): without this entry, the connection to the VPN servers is lost after about 10 minutes.

                    panz:

                    […] first create an Alias under Firewall…Aliases to identify the VPN.  Now return to the PREPROCESSORS tab and in the Frag3 section click the up-arrow icon to import a defined alias as a new Frag3 engine.  In the dialog that opens, choose the alias you created.  When back on the PREPROCESSORS tab, click the e icon beside the new Frag3 engine entry and edit the settings.

                    Bill

                    I'll go to the Alias method + create a new Frag3 engine, as I don't want to touch this setting(s) for the others networks. Now, I have a few questions:

                    1. which IP address range am I going to enter as an Alias? Let's say the OpenVPN client on the Windows machine gets an IP address in the 10.4.0.0/16 range.  Is this the correct Alias range or do I need to look at the IP address of the exit node? (that's obviously a public IP).

                    2. Have I to repeat the same procedure ( = creating a new Frag3 engine) for both WAN and LAN PREPROCESSORS tab?

                    Thank you :)

                    pfSense 2.3.2-RELEASE-p1 (amd64)
                    motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @panz:

                      I'll go to the Alias method + create a new Frag3 engine, as I don't want to touch this setting(s) for the others networks. Now, I have a few questions:

                      1. which IP address range am I going to enter as an Alias? Let's say the OpenVPN client on the Windows machine gets an IP address in the 10.4.0.0/16 range.  Is this the correct Alias range or do I need to look at the IP address of the exit node? (that's obviously a public IP).

                      2. Have I to repeat the same procedure ( = creating a new Frag3 engine) for both WAN and LAN PREPROCESSORS tab?

                      Thank you :)

                      Frag3 engines (and the other customizable engines) work on the destination IP addresses for the packets.  So look on the ALERTS tab and see what destination IP is associated with those fragmentation overlap alerts.  Create the new Frag3 engine configuration using that IP subnet (or single address) where you have been seeing the blocks inserted.  You would only need to repeat the procedure on the other interface's PREPROCESSORS tab if you wanted the custom configuration there as well.

                      Once you get a suitable Frag3 engine created, try unchecking the "detect anomalies" checkbox when editing the settings.  That should stop the alerts on fragmentation overlap.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • panzP
                        panz
                        last edited by

                        @bmeeks:

                        […] So look on the ALERTS tab and see what destination IP is associated with those fragmentation overlap alerts.  Create the new Frag3 engine configuration using that IP subnet (or single address) where you have been seeing the blocks inserted.

                        Bill,

                        The destination IP is always my WAN address (I'm on a ADSL line, so it changes sometimes). Inserting this address seems to me like disabling the Frag3 engine…

                        I thought I had to build the Alias inserting the Source: the Source is always an AirVPN exit node IP address and I have a full list of them.

                        pfSense 2.3.2-RELEASE-p1 (amd64)
                        motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @panz:

                          @bmeeks:

                          […] So look on the ALERTS tab and see what destination IP is associated with those fragmentation overlap alerts.  Create the new Frag3 engine configuration using that IP subnet (or single address) where you have been seeing the blocks inserted.

                          Bill,

                          The destination IP is always my WAN address (I'm on a ADSL line, so it changes sometimes). Inserting this address seems to me like disabling the Frag3 engine…

                          I thought I had to build the Alias inserting the Source: the Source is always an AirVPN exit node IP address and I have a full list of them.

                          It's the nature of how the target-configurable engines work within Snort.  They are designed mainly for customizing the protection of public-facing servers, and thus key off the destination IP for inbound packets.  You can try setting up one using an Alias targeted to your AirVPN exit node addresses.  For that particular Frag3 setup, uncheck the "detect anomalies" checkbox and see if the alerts stop.

                          In your case, are you getting Alerts on the inbound VPN packets (from your WAN back into the LAN), or on your outbound VPN packets (from the LAN out to the WAN)?  If the former, then the "destination" is most likely your AirVPN node and thus the customized Frag3 engine approach should work for you.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • panzP
                            panz
                            last edited by

                            @bmeeks:

                            In your case, are you getting Alerts on the inbound VPN packets (from your WAN back into the LAN), or on your outbound VPN packets (from the LAN out to the WAN)?  If the former, then the "destination" is most likely your AirVPN node and thus the customized Frag3 engine approach should work for you.

                            I'm getting the alerts with Source: the AirVPN exit node and Destination: the IP Address of my WAN interface.

                            pfSense 2.3.2-RELEASE-p1 (amd64)
                            motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                            1 Reply Last reply Reply Quote 0
                            • L
                              lobotiger
                              last edited by

                              I'm just getting into playing with snort and this was an interesting thread.  :)  I have a question and I don't know if it's dumb to ask or not but….when you suppress a rule does that mean that further triggers of that rule will no longer be visible?  I know most of the ones in the lists here are false positives but what about if it's a real intrusion?  I guess another question is, if all of these generate so many false positives, why are they including in the rule sets to begin with?  Shouldn't the owners of those updates just remove them since everyone else seems to be doing so?

                              LoboTiger

                              1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks
                                last edited by

                                @lobotiger:

                                I'm just getting into playing with snort and this was an interesting thread.  :)  I have a question and I don't know if it's dumb to ask or not but….when you suppress a rule does that mean that further triggers of that rule will no longer be visible?  I know most of the ones in the lists here are false positives but what about if it's a real intrusion?  I guess another question is, if all of these generate so many false positives, why are they including in the rule sets to begin with?  Shouldn't the owners of those updates just remove them since everyone else seems to be doing so?

                                LoboTiger

                                The answer to your first question is "yes, when suppressed you no longer get alerts from the rule or preprocessor".  So be sure it really is a false positive before you routinely suppress an alert.

                                As for your second question, you have hit upon something that puzzles me as well.  The problem is caused, I believe, by the fact many software packages (servers and clients) do not follow all the various RFC standards to the letter.  Some deviations are due to mistakes or alternate interpretations of the RFC, and some may just be certain vendors trying to "one up or be one better" than their competition by "tweaking" how their software complies with an RFC.  No matter which is the true cause, the result is software than can generate false positives because Snort (and Suricata as well) inspect traffic according to the RFCs (well, most of the time).  There are also bugs from time to time in the detection code for Snort and Suricata.  For example, Snort today has a problem with parts of the SSL handshake (it loses track of the stream and sees client and server HELO messages out of order and then generates an alert).  The Snort VRT is working on fixing this bug.

                                Bill

                                1 Reply Last reply Reply Quote 0
                                • L
                                  lobotiger
                                  last edited by

                                  Cool, thanks for the answers Bill.

                                  LoboTiger

                                  1 Reply Last reply Reply Quote 0
                                  • R
                                    rcampbell
                                    last edited by

                                    I share the same concern as lobotiger and I want to try and understand the logic of a master supress list and whether it is good idea to use such a list.

                                    I'll take one example from the list as posted, this is the first one with a description so I'll use this:

                                    #(http_inspect) DOUBLE DECODING ATTACK
                                    suppress gen_id 119, sig_id 2

                                    Lets assume a 'Double Decoding Attack' is bad and you would want to block that type of traffic.  Lets assume you go to a trusted website and it is blocked by this rule… i.e. a false positive.  Doesn't it make sense to only supress the rule for that specific IP address only?  Why supress the rule as it is listed with no specific IP?  Am I correct in thinking the rule is now supressed for all IP's?  Isn't that a bad thing in the sense that you would now never detect any Double Decoding Attack from any source?

                                    Can anyone please clarify?

                                    1 Reply Last reply Reply Quote 0
                                    • BBcan177B
                                      BBcan177 Moderator
                                      last edited by

                                      The general consensus is to Disable (false positive) rules before adding suppression for False Positives. However, as you said, if the Alert is only generated from a few IPs than its best to use suppression for those particular IPs only.

                                      What you don't want to do is add a suppression without the "track_by src/dst" in the suppression. So in these cases, using suppression is wasting processing power and its best to disable the rule.

                                      As Bill Meeks stated above, some alerts are false positive due to non-compliance to RFCs etc.

                                      For Alerts like HTTP Inspect, you can look at the HTTP Pre-Processor to see if you can tune it to your setup to avoid these false positives.

                                      Some Alerts can't be disabled by the Rules and the Pre-Processors might not be configurable via the GUI, so for a few alerts, you might need to use Suppression. I believe that with each version of Snort, more of the Pre-Processors are being added, so we have more buttons to play with to help tune it. For Suricata, it has a "Wan App Parser" which you could take a look at or for Stream Alerts, the "Wan Flow/Stream".

                                      These are Threads in the forum for what people are using as a Baseline for Disabling Rules.

                                      https://forum.pfsense.org/index.php?topic=78062.0
                                      https://forum.pfsense.org/index.php?topic=64674.0

                                      "Experience is something you don't get until just after you need it."

                                      Website: http://pfBlockerNG.com
                                      Twitter: @BBcan177  #pfBlockerNG
                                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                      1 Reply Last reply Reply Quote 1
                                      • panzP
                                        panz
                                        last edited by

                                        I had this problem and tuning didn't solve anything; I had to disable the detection :(

                                        https://forum.pfsense.org/index.php?topic=80068.msg436866#msg436866

                                        pfSense 2.3.2-RELEASE-p1 (amd64)
                                        motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                                        1 Reply Last reply Reply Quote 0
                                        • T
                                          Thrae
                                          last edited by

                                          I suggest if you're getting too many false positives and at a loss for how to configure around them, try this:

                                          
                                          event_filter gen_id 0, sig_id 0, type both, track by_src, count 10, seconds 600
                                          
                                          

                                          This will filter events such that only offending IPs which create more than 10 events in 10 minutes will be blocked –- this seriously helps out when packets are fragmented oddly or a server just responds weirdly once in a while. You may change "count 10" and "seconds 600" to make it less restrictive or more restrictive.

                                          1 Reply Last reply Reply Quote 0
                                          • panzP
                                            panz
                                            last edited by

                                            @Thrae:

                                            I suggest if you're getting too many false positives and at a loss for how to configure around them, try this:

                                            
                                            event_filter gen_id 0, sig_id 0, type both, track by_src, count 10, seconds 600
                                            
                                            

                                            This will filter events such that only offending IPs which create more than 10 events in 10 minutes will be blocked –- this seriously helps out when packets are fragmented oddly or a server just responds weirdly once in a while. You may change "count 10" and "seconds 600" to make it less restrictive or more restrictive.

                                            How do I apply this method?

                                            pfSense 2.3.2-RELEASE-p1 (amd64)
                                            motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.