Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata/Snort master SID disablesid.conf

    Scheduled Pinned Locked Moved IDS/IPS
    96 Posts 38 Posters 105.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • panzP
      panz
      last edited by

      I had this problem and tuning didn't solve anything; I had to disable the detection :(

      https://forum.pfsense.org/index.php?topic=80068.msg436866#msg436866

      pfSense 2.3.2-RELEASE-p1 (amd64)
      motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

      1 Reply Last reply Reply Quote 0
      • T
        Thrae
        last edited by

        I suggest if you're getting too many false positives and at a loss for how to configure around them, try this:

        
        event_filter gen_id 0, sig_id 0, type both, track by_src, count 10, seconds 600
        
        

        This will filter events such that only offending IPs which create more than 10 events in 10 minutes will be blocked –- this seriously helps out when packets are fragmented oddly or a server just responds weirdly once in a while. You may change "count 10" and "seconds 600" to make it less restrictive or more restrictive.

        1 Reply Last reply Reply Quote 0
        • panzP
          panz
          last edited by

          @Thrae:

          I suggest if you're getting too many false positives and at a loss for how to configure around them, try this:

          
          event_filter gen_id 0, sig_id 0, type both, track by_src, count 10, seconds 600
          
          

          This will filter events such that only offending IPs which create more than 10 events in 10 minutes will be blocked –- this seriously helps out when packets are fragmented oddly or a server just responds weirdly once in a while. You may change "count 10" and "seconds 600" to make it less restrictive or more restrictive.

          How do I apply this method?

          pfSense 2.3.2-RELEASE-p1 (amd64)
          motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            This is added to the interface suppression list. So for a particular suppression you change the gid and sid accordingly.

            You will need to restart the interface to allow it to be enabled.

            http://manual.snort.org/node19.html

            http://books.msspace.net/mirrorbooks/snortids/0596006616/snortids-CHP-9-SECT-5.html

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • panzP
              panz
              last edited by

              So, if I'm understanding right, I have to add this line to my Suppress List (both on LAN and WAN interfaces)

              event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600
              

              gen_id 123, sig_id 8 corresponds to #(spp_frag3) Fragmentation overlap

              panz

              pfSense 2.3.2-RELEASE-p1 (amd64)
              motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @panz:

                So, if I'm understanding right, I have to add this line to my Suppress List (both on LAN and WAN interfaces)

                event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600
                

                gen_id 123, sig_id 8 corresponds to #(spp_frag3) Fragmentation overlap

                panz

                Yes, that's correct.  Open the Suppress List in edit mode and paste in the line.  Save the list and then restart the affected Snort interface.  Make sure that the Suppress List you edit is the one currently used by the interface.  You can check this on the INTERFACE SETTINGS tab for the interface.

                Bill

                1 Reply Last reply Reply Quote 0
                • T
                  Thrae
                  last edited by

                  Note that:

                  
                  event_filter gen_id 0, sig_id 0, type both, track by_src, count 10, seconds 600
                  
                  

                  Will specifically filter ALL events to 10 per 10 minutes, a quick-and-dirty way to stop massive false-positives while still providing some protection. What I've been doing recently is slowly lowering the count –- now at 3 --- while making different event_filter rules for specific flowbits. Example:

                  
                  event_filter gen_id 0, sig_id 0, type both, track by_src, count 3, seconds 600
                  
                  ## False Positives ##
                  ; (spp_sdf) SDF Combination Alert
                  event_filter gen_id 139, sig_id 1, type both, track by_src, count 6, seconds 600
                  ; (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
                  event_filter gen_id 120, sig_id 8, type both, track by_src, count 6, seconds 600
                  ; (http_inspect) UNKNOWN METHOD
                  event_filter gen_id 119, sig_id 31, type both, track by_src, count 6, seconds 600
                  
                  

                  From my experience I'm not sure I actually agree with the idea of a master suppress list, since I've found false positives will be based on what sites you tend to visit, the quality of your connection with these sites (many false positives are simply malformed packets), etc. However, this filtering should provide at least a little more protection than simply suppressing the alert always.

                  Also note these event filters are tracking by the source, it shouldn't really matter how many users you have (IE, you don't necessarily need to up "count" because you have more users).

                  Next on my to-do is figure out how to do event filtering for certain IPs and IP ranges; I think it can be done using rate_filter set to at least "alert". I'm hoping to essentially disable the suppression for my servers.

                  1 Reply Last reply Reply Quote 0
                  • panzP
                    panz
                    last edited by

                    @bmeeks:

                    @panz:

                    So, if I'm understanding right, I have to add this line to my Suppress List (both on LAN and WAN interfaces)

                    event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600
                    

                    gen_id 123, sig_id 8 corresponds to #(spp_frag3) Fragmentation overlap

                    panz

                    Yes, that's correct.  Open the Suppress List in edit mode and paste in the line.  Save the list and then restart the affected Snort interface.  Make sure that the Suppress List you edit is the one currently used by the interface.  You can check this on the INTERFACE SETTINGS tab for the interface.

                    Bill

                    Could I force this to work only for a certain IP address? Is it possible to add the IP address I want to filter after the comma past the "track by_src"?

                    pfSense 2.3.2-RELEASE-p1 (amd64)
                    motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                    1 Reply Last reply Reply Quote 0
                    • BBcan177B
                      BBcan177 Moderator
                      last edited by

                      Yes you can add an IP or CIDR and after that include additional other syntax as required.

                      9.5.3 Suppression Rules

                      Suppression rules are similar in syntax to standalone threshold rules. Suppression rules can suppress alerts by signature, by source or destination address, or by an entire CIDR network block. This flexibility has considerable power. Care must be taken to only suppress the correct alerts or addresses. An administrator could inadvertently suppress legitimate alerts.

                      Suppression rules are written with the following syntax:

                      suppress gen_id gen-id, sid_id sid-id, track [by_src|by_dst], ip IP/MASK-BITS

                      Suppress this event completely:

                      suppress gen_id 1, sig_id 114

                      Suppress this event from this source IP address:

                      suppress gen_id 1, sig_id 114, track by_src, ip 10.2.1.154

                      Suppress this event to this destination CIDR block:

                      suppress gen_id 1, sig_id 114, track by_dst, ip 10.2.1.0/24

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • panzP
                        panz
                        last edited by

                        Thanks, this is for Suppress action. Am I able to use the track by_src with the event_filter?

                        Panz

                        pfSense 2.3.2-RELEASE-p1 (amd64)
                        motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                        1 Reply Last reply Reply Quote 0
                        • BBcan177B
                          BBcan177 Moderator
                          last edited by

                          Yes you can add other settings after the IP address.

                          "Experience is something you don't get until just after you need it."

                          Website: http://pfBlockerNG.com
                          Twitter: @BBcan177  #pfBlockerNG
                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                          1 Reply Last reply Reply Quote 0
                          • panzP
                            panz
                            last edited by

                            @BBcan177:

                            Yes you can add other settings after the IP address.

                            Sorry, I didn't explain my question well. Is this row ok? :

                            event_filter gen_id 123, sig_id 8, type both, track by_src, 106.188.165.67, count 10, seconds 600
                            

                            I'm asking because – in the examples regarding the event_filter – I can't find the "track by_src" followed by an IP address, like in the examples regarding the suppress command.

                            I hope that my question is clear now.

                            pfSense 2.3.2-RELEASE-p1 (amd64)
                            motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                            1 Reply Last reply Reply Quote 0
                            • BBcan177B
                              BBcan177 Moderator
                              last edited by

                              @panz:

                              Sorry, I didn't explain my question well. Is this row ok? :

                              event_filter gen_id 123, sig_id 8, type both, track by_src, 106.188.165.67, count 10, seconds 600
                              

                              After looking at the Docs, it looks like only the "Suppression" rules can use an IP where event_filter is only by src/dst…

                              If you wanted to have a suppression and a event_filter, you could do the following in order:

                              suppress gen_id 123, sig_id 8, track by_src, ip 106.188.165.67
                              event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600

                              This would suppress this sid/IP combination, and event_filter would limit any other IPs. Or you can just use the event_filter by itself.

                              "Experience is something you don't get until just after you need it."

                              Website: http://pfBlockerNG.com
                              Twitter: @BBcan177  #pfBlockerNG
                              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                              1 Reply Last reply Reply Quote 0
                              • panzP
                                panz
                                last edited by

                                My intention was only to event_filter one address, my favorite AirVPN server.

                                pfSense 2.3.2-RELEASE-p1 (amd64)
                                motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  deanot
                                  last edited by

                                  The list is a good idea, BUT, we have no idea what is being suppressed.  At least I have no idea…..  Using this list literally stops everything from showing up and getting banned, is this a good idea?.  For all I know, you could have suppressed a bunch of things that should not be.

                                  Listing what you suppressed would have been a better approach, I am going to avoid using this and attempt to build something that I have a clue about.

                                  Not knocking your work, but as mentioned, I have no idea what you're suppressing.

                                  PFSense System Specs.
                                  –---------------
                                  Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
                                  4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

                                  1 Reply Last reply Reply Quote 0
                                  • ?
                                    Guest
                                    last edited by

                                    @deanot:

                                    The list is a good idea, BUT, we have no idea what is being suppressed.  At least I have no idea…..  Using this list literally stops everything from showing up and getting banned, is this a good idea?.  For all I know, you could have suppressed a bunch of things that should not be.

                                    Listing what you suppressed would have been a better approach, I am going to avoid using this and attempt to build something that I have a clue about.

                                    Not knocking your work, but as mentioned, I have no idea what you're suppressing.

                                    Thank you for pointing this out. I am a PFSense / snort newbie and just discovered this list. It improved the performance of snort, but I, too, am concerned about what it is actually doing since I am so new at this. A reply from somebody with experience would be beneficial.

                                    This week I plan to remove the list, at lease temporarily, and try to make my own suppression list. It will give me a frame of reference that may enable me to figure out the donated one better.

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      Guest
                                      last edited by

                                      deanot,

                                      I removed the copied suppression list ans started building my own today. I'm using suppression only at this time because I'm still too new with snort and PFSense to try the rule fixes. That will come down the road in a couple of weeks.

                                      FYI: It appears to take detective work to figure out what can be suppressed. Just tedious detective work.

                                      For example, a 'corporate violation' appeared to be my home network doing something internally using IPv6. Seemed pretty safe to suppress. Also on the copied list.

                                      An IPv4 destination address pointed at Microsoft. Google said it was in use by a company that supplies an anti-malware product I use. I assumed it was talking back to the publisher. Coded as safe.

                                      I noted one before that ooma was involved with and also noted on the ooma 'ports to forward' list they publish. Allowed.

                                      This must reflect the suggestion to run 'detect only' for a couple of months first. Good luck.

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        cmenghi
                                        last edited by

                                        Hi, people.

                                        Im create a github repo with the list https://github.com/cristianmenghi/pfsense-snort/

                                        I have a problem that snort block my access to the webConfigurator, any advice ?

                                        thanks.

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          sebna
                                          last edited by

                                          @cmenghi:

                                          Hi, people.

                                          Im create a github repo with the list https://github.com/cristianmenghi/pfsense-snort/

                                          I have a problem that snort block my access to the webConfigurator, any advice ?

                                          thanks.

                                          I have exactly same problem using this list. Have you found lines / reason which are causing it? Otherwise list is great…

                                          Can anybody advice?

                                          1 Reply Last reply Reply Quote 0
                                          • A
                                            asterix
                                            last edited by

                                            Realized I had not posed my most recent suppression list. Found quiet a bit of new ones to add on the list after the recent upgrade to 2.3. I still see a few more false positives but they are not yet blocking anything critical.

                                            –------------------------------------------

                                            suppress gen_id 1, sig_id 536
                                            suppress gen_id 1, sig_id 648
                                            suppress gen_id 1, sig_id 653
                                            suppress gen_id 1, sig_id 1390
                                            suppress gen_id 1, sig_id 2452
                                            suppress gen_id 1, sig_id 8375
                                            suppress gen_id 1, sig_id 11192
                                            suppress gen_id 1, sig_id 12286
                                            suppress gen_id 1, sig_id 15147
                                            suppress gen_id 1, sig_id 15306
                                            suppress gen_id 1, sig_id 15362
                                            suppress gen_id 1, sig_id 16313
                                            suppress gen_id 1, sig_id 16482
                                            suppress gen_id 1, sig_id 17458
                                            suppress gen_id 1, sig_id 20583
                                            suppress gen_id 1, sig_id 23098
                                            suppress gen_id 1, sig_id 23256
                                            suppress gen_id 1, sig_id 24889
                                            suppress gen_id 1, sig_id 2000334
                                            suppress gen_id 1, sig_id 2000419
                                            suppress gen_id 1, sig_id 2003195
                                            suppress gen_id 1, sig_id 2007727
                                            suppress gen_id 1, sig_id 2008120
                                            suppress gen_id 1, sig_id 2008578
                                            suppress gen_id 1, sig_id 2010516
                                            suppress gen_id 1, sig_id 2010525
                                            suppress gen_id 1, sig_id 2010935
                                            suppress gen_id 1, sig_id 2010937
                                            suppress gen_id 1, sig_id 2011716
                                            suppress gen_id 1, sig_id 2012078
                                            suppress gen_id 1, sig_id 2012086
                                            suppress gen_id 1, sig_id 2012087
                                            suppress gen_id 1, sig_id 2012088
                                            suppress gen_id 1, sig_id 2012089
                                            suppress gen_id 1, sig_id 2012141
                                            suppress gen_id 1, sig_id 2012252
                                            suppress gen_id 1, sig_id 2012758
                                            suppress gen_id 1, sig_id 2013028
                                            suppress gen_id 1, sig_id 2013031
                                            suppress gen_id 1, sig_id 2013222
                                            suppress gen_id 1, sig_id 2013414
                                            suppress gen_id 1, sig_id 2013504
                                            suppress gen_id 1, sig_id 2014472
                                            suppress gen_id 1, sig_id 2014518
                                            suppress gen_id 1, sig_id 2014520
                                            suppress gen_id 1, sig_id 2014726
                                            suppress gen_id 1, sig_id 2014734
                                            suppress gen_id 1, sig_id 2014819
                                            suppress gen_id 1, sig_id 2015561
                                            suppress gen_id 1, sig_id 2015744
                                            suppress gen_id 1, sig_id 2016360
                                            suppress gen_id 1, sig_id 2016877
                                            suppress gen_id 1, sig_id 2017364
                                            suppress gen_id 1, sig_id 2018959
                                            suppress gen_id 1, sig_id 2019416
                                            suppress gen_id 1, sig_id 2100366
                                            suppress gen_id 1, sig_id 2100368
                                            suppress gen_id 1, sig_id 2100651
                                            suppress gen_id 1, sig_id 2101390
                                            suppress gen_id 1, sig_id 2101424
                                            suppress gen_id 1, sig_id 2102314
                                            suppress gen_id 1, sig_id 2103134
                                            suppress gen_id 1, sig_id 2103192
                                            suppress gen_id 1, sig_id 2402000
                                            suppress gen_id 1, sig_id 2403344
                                            suppress gen_id 1, sig_id 2406003
                                            suppress gen_id 1, sig_id 2406067
                                            suppress gen_id 1, sig_id 2406069
                                            suppress gen_id 1, sig_id 2406424
                                            suppress gen_id 1, sig_id 2500050
                                            suppress gen_id 1, sig_id 2500056
                                            suppress gen_id 1, sig_id 2520199
                                            suppress gen_id 1, sig_id 2520205
                                            suppress gen_id 1, sig_id 100000230
                                            suppress gen_id 3, sig_id 14772
                                            suppress gen_id 3, sig_id 19187
                                            suppress gen_id 3, sig_id 21355
                                            suppress gen_id 119, sig_id 2
                                            suppress gen_id 119, sig_id 4
                                            suppress gen_id 119, sig_id 7
                                            suppress gen_id 119, sig_id 14
                                            suppress gen_id 119, sig_id 31
                                            suppress gen_id 119, sig_id 32
                                            suppress gen_id 119, sig_id 33
                                            suppress gen_id 120, sig_id 2
                                            suppress gen_id 120, sig_id 3
                                            suppress gen_id 120, sig_id 4
                                            suppress gen_id 120, sig_id 6
                                            suppress gen_id 120, sig_id 8
                                            suppress gen_id 120, sig_id 9
                                            suppress gen_id 120, sig_id 10
                                            suppress gen_id 122, sig_id 19
                                            suppress gen_id 122, sig_id 21
                                            suppress gen_id 122, sig_id 22
                                            suppress gen_id 122, sig_id 23
                                            suppress gen_id 122, sig_id 26
                                            suppress gen_id 123, sig_id 10
                                            suppress gen_id 124, sig_id 3
                                            suppress gen_id 125, sig_id 2
                                            suppress gen_id 137, sig_id 1
                                            suppress gen_id 138, sig_id 2
                                            suppress gen_id 138, sig_id 3
                                            suppress gen_id 138, sig_id 4
                                            suppress gen_id 138, sig_id 5
                                            suppress gen_id 138, sig_id 6
                                            suppress gen_id 140, sig_id 27
                                            suppress gen_id 141, sig_id 1

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.