Suricata/Snort master SID disablesid.conf

panz

So, if I'm understanding right, I have to add this line to my Suppress List (both on LAN and WAN interfaces)

event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600

gen_id 123, sig_id 8 corresponds to #(spp_frag3) Fragmentation overlap

panz

bmeeks

@panz:

So, if I'm understanding right, I have to add this line to my Suppress List (both on LAN and WAN interfaces)

event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600

gen_id 123, sig_id 8 corresponds to #(spp_frag3) Fragmentation overlap

panz

Yes, that's correct.  Open the Suppress List in edit mode and paste in the line.  Save the list and then restart the affected Snort interface.  Make sure that the Suppress List you edit is the one currently used by the interface.  You can check this on the INTERFACE SETTINGS tab for the interface.

Bill

Thrae

Note that:

event_filter gen_id 0, sig_id 0, type both, track by_src, count 10, seconds 600

Will specifically filter ALL events to 10 per 10 minutes, a quick-and-dirty way to stop massive false-positives while still providing some protection. What I've been doing recently is slowly lowering the count –- now at 3 --- while making different event_filter rules for specific flowbits. Example:

event_filter gen_id 0, sig_id 0, type both, track by_src, count 3, seconds 600

## False Positives ##
; (spp_sdf) SDF Combination Alert
event_filter gen_id 139, sig_id 1, type both, track by_src, count 6, seconds 600
; (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
event_filter gen_id 120, sig_id 8, type both, track by_src, count 6, seconds 600
; (http_inspect) UNKNOWN METHOD
event_filter gen_id 119, sig_id 31, type both, track by_src, count 6, seconds 600

From my experience I'm not sure I actually agree with the idea of a master suppress list, since I've found false positives will be based on what sites you tend to visit, the quality of your connection with these sites (many false positives are simply malformed packets), etc. However, this filtering should provide at least a little more protection than simply suppressing the alert always.

Also note these event filters are tracking by the source, it shouldn't really matter how many users you have (IE, you don't necessarily need to up "count" because you have more users).

Next on my to-do is figure out how to do event filtering for certain IPs and IP ranges; I think it can be done using rate_filter set to at least "alert". I'm hoping to essentially disable the suppression for my servers.

panz

@bmeeks:

@panz:

So, if I'm understanding right, I have to add this line to my Suppress List (both on LAN and WAN interfaces)

event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600

gen_id 123, sig_id 8 corresponds to #(spp_frag3) Fragmentation overlap

panz

Yes, that's correct.  Open the Suppress List in edit mode and paste in the line.  Save the list and then restart the affected Snort interface.  Make sure that the Suppress List you edit is the one currently used by the interface.  You can check this on the INTERFACE SETTINGS tab for the interface.

Bill

Could I force this to work only for a certain IP address? Is it possible to add the IP address I want to filter after the comma past the "track by_src"?

BBcan177

Yes you can add an IP or CIDR and after that include additional other syntax as required.

9.5.3 Suppression Rules

Suppression rules are similar in syntax to standalone threshold rules. Suppression rules can suppress alerts by signature, by source or destination address, or by an entire CIDR network block. This flexibility has considerable power. Care must be taken to only suppress the correct alerts or addresses. An administrator could inadvertently suppress legitimate alerts.

Suppression rules are written with the following syntax:

suppress gen_id gen-id, sid_id sid-id, track [by_src|by_dst], ip IP/MASK-BITS

Suppress this event completely:

suppress gen_id 1, sig_id 114

Suppress this event from this source IP address:

suppress gen_id 1, sig_id 114, track by_src, ip 10.2.1.154

Suppress this event to this destination CIDR block:

suppress gen_id 1, sig_id 114, track by_dst, ip 10.2.1.0/24

panz

Thanks, this is for Suppress action. Am I able to use the track by_src with the event_filter?

Panz

BBcan177

Yes you can add other settings after the IP address.

panz

@BBcan177:

Yes you can add other settings after the IP address.

Sorry, I didn't explain my question well. Is this row ok? :

event_filter gen_id 123, sig_id 8, type both, track by_src, 106.188.165.67, count 10, seconds 600

I'm asking because – in the examples regarding the event_filter – I can't find the "track by_src" followed by an IP address, like in the examples regarding the suppress command.

I hope that my question is clear now.

BBcan177

@panz:

Sorry, I didn't explain my question well. Is this row ok? :

event_filter gen_id 123, sig_id 8, type both, track by_src, 106.188.165.67, count 10, seconds 600

After looking at the Docs, it looks like only the "Suppression" rules can use an IP where event_filter is only by src/dst…

If you wanted to have a suppression and a event_filter, you could do the following in order:

suppress gen_id 123, sig_id 8, track by_src, ip 106.188.165.67
event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600

This would suppress this sid/IP combination, and event_filter would limit any other IPs. Or you can just use the event_filter by itself.

panz

My intention was only to event_filter one address, my favorite AirVPN server.

deanot

The list is a good idea, BUT, we have no idea what is being suppressed.  At least I have no idea…..  Using this list literally stops everything from showing up and getting banned, is this a good idea?.  For all I know, you could have suppressed a bunch of things that should not be.

Listing what you suppressed would have been a better approach, I am going to avoid using this and attempt to build something that I have a clue about.

Not knocking your work, but as mentioned, I have no idea what you're suppressing.

Guest

@deanot:

The list is a good idea, BUT, we have no idea what is being suppressed.  At least I have no idea…..  Using this list literally stops everything from showing up and getting banned, is this a good idea?.  For all I know, you could have suppressed a bunch of things that should not be.

Listing what you suppressed would have been a better approach, I am going to avoid using this and attempt to build something that I have a clue about.

Not knocking your work, but as mentioned, I have no idea what you're suppressing.

Thank you for pointing this out. I am a PFSense / snort newbie and just discovered this list. It improved the performance of snort, but I, too, am concerned about what it is actually doing since I am so new at this. A reply from somebody with experience would be beneficial.

This week I plan to remove the list, at lease temporarily, and try to make my own suppression list. It will give me a frame of reference that may enable me to figure out the donated one better.

Guest

deanot,

I removed the copied suppression list ans started building my own today. I'm using suppression only at this time because I'm still too new with snort and PFSense to try the rule fixes. That will come down the road in a couple of weeks.

FYI: It appears to take detective work to figure out what can be suppressed. Just tedious detective work.

For example, a 'corporate violation' appeared to be my home network doing something internally using IPv6. Seemed pretty safe to suppress. Also on the copied list.

An IPv4 destination address pointed at Microsoft. Google said it was in use by a company that supplies an anti-malware product I use. I assumed it was talking back to the publisher. Coded as safe.

I noted one before that ooma was involved with and also noted on the ooma 'ports to forward' list they publish. Allowed.

This must reflect the suggestion to run 'detect only' for a couple of months first. Good luck.

cmenghi

Hi, people.

Im create a github repo with the list https://github.com/cristianmenghi/pfsense-snort/

I have a problem that snort block my access to the webConfigurator, any advice ?

thanks.

sebna

@cmenghi:

Hi, people.

Im create a github repo with the list https://github.com/cristianmenghi/pfsense-snort/

I have a problem that snort block my access to the webConfigurator, any advice ?

thanks.

I have exactly same problem using this list. Have you found lines / reason which are causing it? Otherwise list is great…

Can anybody advice?

asterix

Realized I had not posed my most recent suppression list. Found quiet a bit of new ones to add on the list after the recent upgrade to 2.3. I still see a few more false positives but they are not yet blocking anything critical.

–------------------------------------------

suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 648
suppress gen_id 1, sig_id 653
suppress gen_id 1, sig_id 1390
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 8375
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 12286
suppress gen_id 1, sig_id 15147
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 15362
suppress gen_id 1, sig_id 16313
suppress gen_id 1, sig_id 16482
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 23098
suppress gen_id 1, sig_id 23256
suppress gen_id 1, sig_id 24889
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2000419
suppress gen_id 1, sig_id 2003195
suppress gen_id 1, sig_id 2007727
suppress gen_id 1, sig_id 2008120
suppress gen_id 1, sig_id 2008578
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 2010525
suppress gen_id 1, sig_id 2010935
suppress gen_id 1, sig_id 2010937
suppress gen_id 1, sig_id 2011716
suppress gen_id 1, sig_id 2012078
suppress gen_id 1, sig_id 2012086
suppress gen_id 1, sig_id 2012087
suppress gen_id 1, sig_id 2012088
suppress gen_id 1, sig_id 2012089
suppress gen_id 1, sig_id 2012141
suppress gen_id 1, sig_id 2012252
suppress gen_id 1, sig_id 2012758
suppress gen_id 1, sig_id 2013028
suppress gen_id 1, sig_id 2013031
suppress gen_id 1, sig_id 2013222
suppress gen_id 1, sig_id 2013414
suppress gen_id 1, sig_id 2013504
suppress gen_id 1, sig_id 2014472
suppress gen_id 1, sig_id 2014518
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2014726
suppress gen_id 1, sig_id 2014734
suppress gen_id 1, sig_id 2014819
suppress gen_id 1, sig_id 2015561
suppress gen_id 1, sig_id 2015744
suppress gen_id 1, sig_id 2016360
suppress gen_id 1, sig_id 2016877
suppress gen_id 1, sig_id 2017364
suppress gen_id 1, sig_id 2018959
suppress gen_id 1, sig_id 2019416
suppress gen_id 1, sig_id 2100366
suppress gen_id 1, sig_id 2100368
suppress gen_id 1, sig_id 2100651
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2101424
suppress gen_id 1, sig_id 2102314
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2103192
suppress gen_id 1, sig_id 2402000
suppress gen_id 1, sig_id 2403344
suppress gen_id 1, sig_id 2406003
suppress gen_id 1, sig_id 2406067
suppress gen_id 1, sig_id 2406069
suppress gen_id 1, sig_id 2406424
suppress gen_id 1, sig_id 2500050
suppress gen_id 1, sig_id 2500056
suppress gen_id 1, sig_id 2520199
suppress gen_id 1, sig_id 2520205
suppress gen_id 1, sig_id 100000230
suppress gen_id 3, sig_id 14772
suppress gen_id 3, sig_id 19187
suppress gen_id 3, sig_id 21355
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 7
suppress gen_id 119, sig_id 14
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 119, sig_id 33
suppress gen_id 120, sig_id 2
suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 4
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 120, sig_id 9
suppress gen_id 120, sig_id 10
suppress gen_id 122, sig_id 19
suppress gen_id 122, sig_id 21
suppress gen_id 122, sig_id 22
suppress gen_id 122, sig_id 23
suppress gen_id 122, sig_id 26
suppress gen_id 123, sig_id 10
suppress gen_id 124, sig_id 3
suppress gen_id 125, sig_id 2
suppress gen_id 137, sig_id 1
suppress gen_id 138, sig_id 2
suppress gen_id 138, sig_id 3
suppress gen_id 138, sig_id 4
suppress gen_id 138, sig_id 5
suppress gen_id 138, sig_id 6
suppress gen_id 140, sig_id 27
suppress gen_id 141, sig_id 1

Vidmo

For those who wish to know exactly what they are blocking and why, I present my list.

#GLOBAL

#This event is generated when an attempt is made to gain access to private resources using Samba
#suppress gen_id 1, sig_id 536

#GPL SHELLCODE x86 NOOP
#suppress gen_id 1, sig_id 648

#GPL SHELLCODE x86 0x90 unicode NOOP
#suppress gen_id 1, sig_id 653

#This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines.
suppress gen_id 1, sig_id 1390
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 8375

#This event is generated when network traffic that indicates download of executable content is being used.
suppress gen_id 1, sig_id 11192

#This rule generates events when a portable executable file is downloaded
suppress gen_id 1, sig_id 15306

#FILE-IDENTIFY download of executable content - x-header -> stops windows download
suppress gen_id 1, sig_id 16313

#This event is generated when an attempt is made to exploit a known vulnerability in internet security.
suppress gen_id 1, sig_id 17458

#This event is generated when an attempt is made to exploit a known vulnerability in firefox.
suppress gen_id 1, sig_id 20583

#This event is generated when an attempt is made to exploit a known vulnerability in adobe air.
suppress gen_id 1, sig_id 23098

#GPL ICMP_INFO PING *NIX
suppress gen_id 1, sig_id 2100366

#GPL ICMP_INFO
suppress gen_id 1, sig_id 2100368

#GPL SHELLCODE x86 stealth NOOP
suppress gen_id 1, sig_id 2100651
suppress gen_id 1, sig_id 2101390

#GPL SHELLCODE x86 0xEB0C NOOP
suppress gen_id 1, sig_id 2101424
suppress gen_id 1, sig_id 2102314
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2500056
suppress gen_id 1, sig_id 100000230

#GPL WEB_CLIENT PNG large colour depth download attempt
suppress gen_id 1, sig_id 2103134

#WEB-CLIENT libpng malformed chunk denial of service attempt
suppress gen_id 3, sig_id 14772

#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2

#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4

#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7

#(http_inspect) NON-RFC DEFINED CHAR [**]
suppress gen_id 119, sig_id 14

#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31

#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32

#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 2
suppress gen_id 120, sig_id 3

#(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
suppress gen_id 120, sig_id 4

#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6

#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8

#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
suppress gen_id 120, sig_id 9

#(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
suppress gen_id 120, sig_id 10

#(smtp) Attempted response buffer overflow: 1448 chars
suppress gen_id 124, sig_id 3

#(ftp_telnet) Invalid FTP Command
suppress gen_id 125, sig_id 2

#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1

#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1

#(http_inspect) UNESCAPED SPACE IN HTTP URI
suppress gen_id 119, sig_id 33

#ET P2P BitTorrent peer sync
suppress gen_id 1, sig_id 2000334

#ET P2P ThunderNetwork UDP Traffic (MS Azure)
suppress gen_id 1, sig_id 2009099, track by_dst, ip 23.99.86.92

#ET TFTP Outbound TFTP Read Request – VONAGE
suppress gen_id 1, sig_id 2008120

#ET CHAT Skype User-Agent detected
suppress gen_id 1, sig_id 2002157

#ET CHAT Skype VOIP Checking Version (Startup)
suppress gen_id 1, sig_id 2001595

#ET CHAT Suppressing all IRC alerts to the justin.tv / twitch.tv netblock 192.16.64.0/21, online game watching + irc chat service.
#'TROJAN IRC Private message on non-standard port',2000347
#'TROJAN IRC Nick change on non-standard port',2000345
#'TROJAN IRC Channel JOIN on non-standard port',2000348
suppress gen_id 1, sig_id 2000347, track by_dst, ip 192.16.64.0/21
suppress gen_id 1, sig_id 2000345, track by_dst, ip 192.16.64.0/21
suppress gen_id 1, sig_id 2000348, track by_dst, ip 192.16.64.0/21

#ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
suppress gen_id 1, sig_id 2010516

#ET WEB_CLIENT PDF With Embedded File
suppress gen_id 1, sig_id 2011507, track by_src, ip 192.104.67.214

#ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source) (EATON UPS SOFTWARE)
suppress gen_id 1, sig_id 2010525, track by_src, ip 40.143.173.102

#ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Tags Remote Code Execution Attempt
suppress gen_id 1, sig_id 2011891

#ET INFO EXE - OSX Disk Image Download
suppress gen_id 1, sig_id 2014518

#ET INFO EXE - Served Attached HTTP
suppress gen_id 1, sig_id 2014520

#ET INFO Packed Executable Download
suppress gen_id 1, sig_id 2014819

#ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
suppress gen_id 1, sig_id 2018904
suppress gen_id 1, sig_id 2018905
suppress gen_id 1, sig_id 2018906
suppress gen_id 1, sig_id 2018907

#ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
suppress gen_id 1, sig_id 2016149
suppress gen_id 1, sig_id 2016150
suppress gen_id 1, sig_id 2018908

#ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
suppress gen_id 1, sig_id 2012758

#ET INFO Suspicious Windows NT version 8 User-Agent
suppress gen_id 1, sig_id 2015821

#ET INFO Possible Phish - Saved Website Comment Observed
suppress gen_id 1, sig_id 2018334

#ET INFO .exe File requested over FTP
suppress gen_id 1, sig_id 2014906, track by_dst, ip 64.174.237.178

#ET INFO PDF Using CCITTFax Filter
suppress gen_id 1, sig_id 2015561

#ET INFO Possible Chrome Plugin install
suppress gen_id 1, sig_id 2016847, track by_src, ip 192.168.1.120

#ET POLICY Microsoft user-agent automated process response to automated request
suppress gen_id 1, sig_id 2012692

#ET POLICY External IP Lookup - checkip.dyndns.org
suppress gen_id 1, sig_id 2021378

#ET POLICY External IP Lookup ip-api.com
suppress gen_id 1, sig_id 2022082

#ET POLICY Possible IP Check api.ipify.org
suppress gen_id 1, sig_id 2019512

#ET POLICY DynDNS CheckIp External IP Address Server Response
suppress gen_id 1, sig_id 2014932

#ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
suppress gen_id 1, sig_id 2011227

#ET POLICY PE EXE or DLL Windows file download HTTP
suppress gen_id 1, sig_id 2018959

#ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted (ESET NOD)
suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.36
suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.37
suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.38
suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.39
suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.40
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.13
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.14
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.16
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.15
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.88
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.21
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.22
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.23
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.24
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.25
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.26
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.132
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.133

#ET POLICY PE EXE or DLL Windows file download HTTP (NVIDIA)
suppress gen_id 1, sig_id 2018959, track by_src, ip 8.36.113.133
suppress gen_id 1, sig_id 2018959, track by_src, ip 8.36.113.189
suppress gen_id 1, sig_id 2018959, track by_src, ip 8.36.120.225

#ET POLICY Executable served from Amazon S3
suppress gen_id 1, sig_id 2013414

#ET POLICY Pandora Usage
suppress gen_id 1, sig_id 2014997

#ET POLICY iTunes User Agent
suppress gen_id 1, sig_id 2002878

#ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
suppress gen_id 1, sig_id 2019416

#ET POLICY Executable and linking format (ELF) file download
suppress gen_id 1, sig_id 2000418, track by_src, ip 64.174.237.178

#ET POLICY Vulnerable Java Version 1.8.x Detected
suppress gen_id 1, sig_id 2019401, track by_src, ip 192.168.1.101

#ET POLICY Kindle Fire Browser User-Agent Outbound
suppress gen_id 1, sig_id 2014095

#ET SHELLCODE Possible Call with No Offset TCP Shellcode (ESET NOD)
suppress gen_id 1, sig_id 2012086, track by_src, ip 91.228.167.87
suppress gen_id 1, sig_id 2012086, track by_src, ip 91.228.166.45
suppress gen_id 1, sig_id 2012086, track by_src, ip 38.90.226.11
suppress gen_id 1, sig_id 2012086, track by_src, ip 38.90.226.12
suppress gen_id 1, sig_id 2012086, track by_src, ip 38.90.226.13

#ET SHELLCODE Possible Call with No Offset UDP Shellcode (VOIP)
suppress gen_id 1, sig_id 2012087, track by_src, ip 74.201.99.62

#ET SHELLCODE Possible Call with No Offset TCP Shellcode
suppress gen_id 1, sig_id 2012086, track by_src, ip 64.174.237.178

asterix

After monitoring Snort for over 2 years, I am now confident on the suppression list doing no major harm to my network from outside attack. This week I moved the entire list (might have 1 or 2 more since my last post) to SID Mgmt, disablesid.conf on WAN (SID State Order: Disable Enable). This disables all the unneeded rules first before enabling the rest of the rules on Snort startup. Saves some CPU processing (don't expect miracles unless you are on P II/P III/P4 CPU). You wont see any difference on newer CPUs.

Here is the simpler list for disablesid.conf. Did a random check and found them disabled. No more suppression list for now.

1:536
1:648
1:653
1:1390
1:2452
1:8375
1:11192
1:12286
1:15147
1:15306
1:15362
1:16313
1:16482
1:17458
1:20583
1:23098
1:23256
1:24889
1:2000334
1:2000419
1:2003195
1:2007727
1:2008120
1:2008578
1:2010516
1:2010525
1:2010935
1:2010937
1:2011716
1:2012078
1:2012086-1:2012089
1:2012141
1:2012252
1:2012758
1:2013028
1:2013031
1:2013222
1:2013414
1:2013504
1:2014472
1:2014518
1:2014520
1:2014726
1:2014734
1:2014819
1:2015561
1:2015744
1:2015820
1:2016360
1:2016877
1:2017364
1:2018959
1:2019416
1:2022913
1:2100366
1:2100368
1:2100651
1:2101390
1:2101424
1:2102314
1:2103134
1:2103192
1:2402000
1:2403344
1:2406003
1:2406067
1:2406069
1:2406424
1:2500050
1:2500056
1:2520199
1:2520205
1:100000230
3:14772
3:19187
3:21355
119:2
119:4
119:7
119:14
119:31-119:33
120:2-120:4
120:6
120:8-120:10
122:19
122:21-122:23
122:26
123:10
124:3
125:2
137:1
138:2-138:6
141:1

akishore

Hi Asterix,

Thanks for the updated suppression list! It makes things work a lot better on my home network.

I noticed your last post says you moved the list over to SID Mgmt and stopped using the suppression list. Can you explain in detail how to do this? I'm a noob and I understood the whole suppression list and how to set it up, etc., but I have no idea what disablesid.conf is, where to edit it, etc.

Any help you could provide would be greatly appreciated.

Also why is using this method better than the suppression list?

Thanks!

asterix

@akishore:

Hi Asterix,

Thanks for the updated suppression list! It makes things work a lot better on my home network.

I noticed your last post says you moved the list over to SID Mgmt and stopped using the suppression list. Can you explain in detail how to do this? I'm a noob and I understood the whole suppression list and how to set it up, etc., but I have no idea what disablesid.conf is, where to edit it, etc.

Any help you could provide would be greatly appreciated.

See attached screenshot. Basically you go in SID Mgmt tab, enable "Enable Automatic SID State Management"and add/create a disabledsid.conf file. Once you have that added, go down below to the interface you are running Snort on (usually WAN) and reference the disabledsid.conf file under the Disable SID File column. SID State order should be "Disable,Enable"..so it will processing all the sids which are to be disabled first and then jump on to any specific sids you may have specified to be turned on using an enablesid.conf file (you can name the files what ever you feel like). Also ensure you go back to the WAN interface and remove the suppression list selected under "Alert Suppression and Filtering"  as you don't need it anymore. All your suppressed sids are now disabled to begin with so they will not be processed, hence no more alerts on them.

@akishore:

Also why is using this method better than the suppression list?

Thanks!

As I stated in the my previous post "This disables all the unneeded rules first before enabling the rest of the rules on Snort startup".. so Snort does not reference/process the disabled rules against the traffic saving some CPU time. Also since the rules are disabled before Snort starts, it saves some RAM and snort startup times are reduced…depending on how many rules you are loading and how many have been disabled of course.

In the case of suppression list, the rules are still being referenced/processed and the alerts being generated are just suppressed. So there is still activity in the background but since you set it up to ignore the alerts (suppress) they are not being shown in the logs.