Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata/Snort master SID disablesid.conf

    Scheduled Pinned Locked Moved IDS/IPS
    96 Posts 38 Posters 105.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • panzP
      panz
      last edited by

      @bmeeks:

      @panz:

      So, if I'm understanding right, I have to add this line to my Suppress List (both on LAN and WAN interfaces)

      event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600
      

      gen_id 123, sig_id 8 corresponds to #(spp_frag3) Fragmentation overlap

      panz

      Yes, that's correct.  Open the Suppress List in edit mode and paste in the line.  Save the list and then restart the affected Snort interface.  Make sure that the Suppress List you edit is the one currently used by the interface.  You can check this on the INTERFACE SETTINGS tab for the interface.

      Bill

      Could I force this to work only for a certain IP address? Is it possible to add the IP address I want to filter after the comma past the "track by_src"?

      pfSense 2.3.2-RELEASE-p1 (amd64)
      motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        Yes you can add an IP or CIDR and after that include additional other syntax as required.

        9.5.3 Suppression Rules

        Suppression rules are similar in syntax to standalone threshold rules. Suppression rules can suppress alerts by signature, by source or destination address, or by an entire CIDR network block. This flexibility has considerable power. Care must be taken to only suppress the correct alerts or addresses. An administrator could inadvertently suppress legitimate alerts.

        Suppression rules are written with the following syntax:

        suppress gen_id gen-id, sid_id sid-id, track [by_src|by_dst], ip IP/MASK-BITS

        Suppress this event completely:

        suppress gen_id 1, sig_id 114

        Suppress this event from this source IP address:

        suppress gen_id 1, sig_id 114, track by_src, ip 10.2.1.154

        Suppress this event to this destination CIDR block:

        suppress gen_id 1, sig_id 114, track by_dst, ip 10.2.1.0/24

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • panzP
          panz
          last edited by

          Thanks, this is for Suppress action. Am I able to use the track by_src with the event_filter?

          Panz

          pfSense 2.3.2-RELEASE-p1 (amd64)
          motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            Yes you can add other settings after the IP address.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • panzP
              panz
              last edited by

              @BBcan177:

              Yes you can add other settings after the IP address.

              Sorry, I didn't explain my question well. Is this row ok? :

              event_filter gen_id 123, sig_id 8, type both, track by_src, 106.188.165.67, count 10, seconds 600
              

              I'm asking because – in the examples regarding the event_filter – I can't find the "track by_src" followed by an IP address, like in the examples regarding the suppress command.

              I hope that my question is clear now.

              pfSense 2.3.2-RELEASE-p1 (amd64)
              motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

              1 Reply Last reply Reply Quote 0
              • BBcan177B
                BBcan177 Moderator
                last edited by

                @panz:

                Sorry, I didn't explain my question well. Is this row ok? :

                event_filter gen_id 123, sig_id 8, type both, track by_src, 106.188.165.67, count 10, seconds 600
                

                After looking at the Docs, it looks like only the "Suppression" rules can use an IP where event_filter is only by src/dst…

                If you wanted to have a suppression and a event_filter, you could do the following in order:

                suppress gen_id 123, sig_id 8, track by_src, ip 106.188.165.67
                event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600

                This would suppress this sid/IP combination, and event_filter would limit any other IPs. Or you can just use the event_filter by itself.

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                1 Reply Last reply Reply Quote 0
                • panzP
                  panz
                  last edited by

                  My intention was only to event_filter one address, my favorite AirVPN server.

                  pfSense 2.3.2-RELEASE-p1 (amd64)
                  motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                  1 Reply Last reply Reply Quote 0
                  • D
                    deanot
                    last edited by

                    The list is a good idea, BUT, we have no idea what is being suppressed.  At least I have no idea…..  Using this list literally stops everything from showing up and getting banned, is this a good idea?.  For all I know, you could have suppressed a bunch of things that should not be.

                    Listing what you suppressed would have been a better approach, I am going to avoid using this and attempt to build something that I have a clue about.

                    Not knocking your work, but as mentioned, I have no idea what you're suppressing.

                    PFSense System Specs.
                    –---------------
                    Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
                    4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest
                      last edited by

                      @deanot:

                      The list is a good idea, BUT, we have no idea what is being suppressed.  At least I have no idea…..  Using this list literally stops everything from showing up and getting banned, is this a good idea?.  For all I know, you could have suppressed a bunch of things that should not be.

                      Listing what you suppressed would have been a better approach, I am going to avoid using this and attempt to build something that I have a clue about.

                      Not knocking your work, but as mentioned, I have no idea what you're suppressing.

                      Thank you for pointing this out. I am a PFSense / snort newbie and just discovered this list. It improved the performance of snort, but I, too, am concerned about what it is actually doing since I am so new at this. A reply from somebody with experience would be beneficial.

                      This week I plan to remove the list, at lease temporarily, and try to make my own suppression list. It will give me a frame of reference that may enable me to figure out the donated one better.

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by

                        deanot,

                        I removed the copied suppression list ans started building my own today. I'm using suppression only at this time because I'm still too new with snort and PFSense to try the rule fixes. That will come down the road in a couple of weeks.

                        FYI: It appears to take detective work to figure out what can be suppressed. Just tedious detective work.

                        For example, a 'corporate violation' appeared to be my home network doing something internally using IPv6. Seemed pretty safe to suppress. Also on the copied list.

                        An IPv4 destination address pointed at Microsoft. Google said it was in use by a company that supplies an anti-malware product I use. I assumed it was talking back to the publisher. Coded as safe.

                        I noted one before that ooma was involved with and also noted on the ooma 'ports to forward' list they publish. Allowed.

                        This must reflect the suggestion to run 'detect only' for a couple of months first. Good luck.

                        1 Reply Last reply Reply Quote 0
                        • C
                          cmenghi
                          last edited by

                          Hi, people.

                          Im create a github repo with the list https://github.com/cristianmenghi/pfsense-snort/

                          I have a problem that snort block my access to the webConfigurator, any advice ?

                          thanks.

                          1 Reply Last reply Reply Quote 0
                          • S
                            sebna
                            last edited by

                            @cmenghi:

                            Hi, people.

                            Im create a github repo with the list https://github.com/cristianmenghi/pfsense-snort/

                            I have a problem that snort block my access to the webConfigurator, any advice ?

                            thanks.

                            I have exactly same problem using this list. Have you found lines / reason which are causing it? Otherwise list is great…

                            Can anybody advice?

                            1 Reply Last reply Reply Quote 0
                            • A
                              asterix
                              last edited by

                              Realized I had not posed my most recent suppression list. Found quiet a bit of new ones to add on the list after the recent upgrade to 2.3. I still see a few more false positives but they are not yet blocking anything critical.

                              –------------------------------------------

                              suppress gen_id 1, sig_id 536
                              suppress gen_id 1, sig_id 648
                              suppress gen_id 1, sig_id 653
                              suppress gen_id 1, sig_id 1390
                              suppress gen_id 1, sig_id 2452
                              suppress gen_id 1, sig_id 8375
                              suppress gen_id 1, sig_id 11192
                              suppress gen_id 1, sig_id 12286
                              suppress gen_id 1, sig_id 15147
                              suppress gen_id 1, sig_id 15306
                              suppress gen_id 1, sig_id 15362
                              suppress gen_id 1, sig_id 16313
                              suppress gen_id 1, sig_id 16482
                              suppress gen_id 1, sig_id 17458
                              suppress gen_id 1, sig_id 20583
                              suppress gen_id 1, sig_id 23098
                              suppress gen_id 1, sig_id 23256
                              suppress gen_id 1, sig_id 24889
                              suppress gen_id 1, sig_id 2000334
                              suppress gen_id 1, sig_id 2000419
                              suppress gen_id 1, sig_id 2003195
                              suppress gen_id 1, sig_id 2007727
                              suppress gen_id 1, sig_id 2008120
                              suppress gen_id 1, sig_id 2008578
                              suppress gen_id 1, sig_id 2010516
                              suppress gen_id 1, sig_id 2010525
                              suppress gen_id 1, sig_id 2010935
                              suppress gen_id 1, sig_id 2010937
                              suppress gen_id 1, sig_id 2011716
                              suppress gen_id 1, sig_id 2012078
                              suppress gen_id 1, sig_id 2012086
                              suppress gen_id 1, sig_id 2012087
                              suppress gen_id 1, sig_id 2012088
                              suppress gen_id 1, sig_id 2012089
                              suppress gen_id 1, sig_id 2012141
                              suppress gen_id 1, sig_id 2012252
                              suppress gen_id 1, sig_id 2012758
                              suppress gen_id 1, sig_id 2013028
                              suppress gen_id 1, sig_id 2013031
                              suppress gen_id 1, sig_id 2013222
                              suppress gen_id 1, sig_id 2013414
                              suppress gen_id 1, sig_id 2013504
                              suppress gen_id 1, sig_id 2014472
                              suppress gen_id 1, sig_id 2014518
                              suppress gen_id 1, sig_id 2014520
                              suppress gen_id 1, sig_id 2014726
                              suppress gen_id 1, sig_id 2014734
                              suppress gen_id 1, sig_id 2014819
                              suppress gen_id 1, sig_id 2015561
                              suppress gen_id 1, sig_id 2015744
                              suppress gen_id 1, sig_id 2016360
                              suppress gen_id 1, sig_id 2016877
                              suppress gen_id 1, sig_id 2017364
                              suppress gen_id 1, sig_id 2018959
                              suppress gen_id 1, sig_id 2019416
                              suppress gen_id 1, sig_id 2100366
                              suppress gen_id 1, sig_id 2100368
                              suppress gen_id 1, sig_id 2100651
                              suppress gen_id 1, sig_id 2101390
                              suppress gen_id 1, sig_id 2101424
                              suppress gen_id 1, sig_id 2102314
                              suppress gen_id 1, sig_id 2103134
                              suppress gen_id 1, sig_id 2103192
                              suppress gen_id 1, sig_id 2402000
                              suppress gen_id 1, sig_id 2403344
                              suppress gen_id 1, sig_id 2406003
                              suppress gen_id 1, sig_id 2406067
                              suppress gen_id 1, sig_id 2406069
                              suppress gen_id 1, sig_id 2406424
                              suppress gen_id 1, sig_id 2500050
                              suppress gen_id 1, sig_id 2500056
                              suppress gen_id 1, sig_id 2520199
                              suppress gen_id 1, sig_id 2520205
                              suppress gen_id 1, sig_id 100000230
                              suppress gen_id 3, sig_id 14772
                              suppress gen_id 3, sig_id 19187
                              suppress gen_id 3, sig_id 21355
                              suppress gen_id 119, sig_id 2
                              suppress gen_id 119, sig_id 4
                              suppress gen_id 119, sig_id 7
                              suppress gen_id 119, sig_id 14
                              suppress gen_id 119, sig_id 31
                              suppress gen_id 119, sig_id 32
                              suppress gen_id 119, sig_id 33
                              suppress gen_id 120, sig_id 2
                              suppress gen_id 120, sig_id 3
                              suppress gen_id 120, sig_id 4
                              suppress gen_id 120, sig_id 6
                              suppress gen_id 120, sig_id 8
                              suppress gen_id 120, sig_id 9
                              suppress gen_id 120, sig_id 10
                              suppress gen_id 122, sig_id 19
                              suppress gen_id 122, sig_id 21
                              suppress gen_id 122, sig_id 22
                              suppress gen_id 122, sig_id 23
                              suppress gen_id 122, sig_id 26
                              suppress gen_id 123, sig_id 10
                              suppress gen_id 124, sig_id 3
                              suppress gen_id 125, sig_id 2
                              suppress gen_id 137, sig_id 1
                              suppress gen_id 138, sig_id 2
                              suppress gen_id 138, sig_id 3
                              suppress gen_id 138, sig_id 4
                              suppress gen_id 138, sig_id 5
                              suppress gen_id 138, sig_id 6
                              suppress gen_id 140, sig_id 27
                              suppress gen_id 141, sig_id 1

                              1 Reply Last reply Reply Quote 0
                              • V
                                Vidmo
                                last edited by

                                For those who wish to know exactly what they are blocking and why, I present my list.

                                #GLOBAL

                                #This event is generated when an attempt is made to gain access to private resources using Samba
                                #suppress gen_id 1, sig_id 536

                                #GPL SHELLCODE x86 NOOP
                                #suppress gen_id 1, sig_id 648

                                #GPL SHELLCODE x86 0x90 unicode NOOP
                                #suppress gen_id 1, sig_id 653

                                #This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines.
                                suppress gen_id 1, sig_id 1390
                                suppress gen_id 1, sig_id 2452
                                suppress gen_id 1, sig_id 8375

                                #This event is generated when network traffic that indicates download of executable content is being used.
                                suppress gen_id 1, sig_id 11192

                                #This rule generates events when a portable executable file is downloaded
                                suppress gen_id 1, sig_id 15306

                                #FILE-IDENTIFY download of executable content - x-header -> stops windows download
                                suppress gen_id 1, sig_id 16313

                                #This event is generated when an attempt is made to exploit a known vulnerability in internet security.
                                suppress gen_id 1, sig_id 17458

                                #This event is generated when an attempt is made to exploit a known vulnerability in firefox.
                                suppress gen_id 1, sig_id 20583

                                #This event is generated when an attempt is made to exploit a known vulnerability in adobe air.
                                suppress gen_id 1, sig_id 23098

                                #GPL ICMP_INFO PING *NIX
                                suppress gen_id 1, sig_id 2100366

                                #GPL ICMP_INFO
                                suppress gen_id 1, sig_id 2100368

                                #GPL SHELLCODE x86 stealth NOOP
                                suppress gen_id 1, sig_id 2100651
                                suppress gen_id 1, sig_id 2101390

                                #GPL SHELLCODE x86 0xEB0C NOOP
                                suppress gen_id 1, sig_id 2101424
                                suppress gen_id 1, sig_id 2102314
                                suppress gen_id 1, sig_id 2103134
                                suppress gen_id 1, sig_id 2500056
                                suppress gen_id 1, sig_id 100000230

                                #GPL WEB_CLIENT PNG large colour depth download attempt
                                suppress gen_id 1, sig_id 2103134

                                #WEB-CLIENT libpng malformed chunk denial of service attempt
                                suppress gen_id 3, sig_id 14772

                                #(http_inspect) DOUBLE DECODING ATTACK
                                suppress gen_id 119, sig_id 2

                                #(http_inspect) BARE BYTE UNICODE ENCODING
                                suppress gen_id 119, sig_id 4

                                #(http_inspect) IIS UNICODE CODEPOINT ENCODING
                                suppress gen_id 119, sig_id 7

                                #(http_inspect) NON-RFC DEFINED CHAR [**]
                                suppress gen_id 119, sig_id 14

                                #(http_inspect) UNKNOWN METHOD
                                suppress gen_id 119, sig_id 31

                                #(http_inspect) SIMPLE REQUEST
                                suppress gen_id 119, sig_id 32

                                #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
                                suppress gen_id 120, sig_id 2
                                suppress gen_id 120, sig_id 3

                                #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
                                suppress gen_id 120, sig_id 4

                                #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
                                suppress gen_id 120, sig_id 6

                                #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
                                suppress gen_id 120, sig_id 8

                                #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
                                suppress gen_id 120, sig_id 9

                                #(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
                                suppress gen_id 120, sig_id 10

                                #(smtp) Attempted response buffer overflow: 1448 chars
                                suppress gen_id 124, sig_id 3

                                #(ftp_telnet) Invalid FTP Command
                                suppress gen_id 125, sig_id 2

                                #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
                                suppress gen_id 137, sig_id 1

                                #(IMAP) Unknown IMAP4 command
                                suppress gen_id 141, sig_id 1

                                #(http_inspect) UNESCAPED SPACE IN HTTP URI
                                suppress gen_id 119, sig_id 33

                                #ET P2P BitTorrent peer sync
                                suppress gen_id 1, sig_id 2000334

                                #ET P2P ThunderNetwork UDP Traffic (MS Azure)
                                suppress gen_id 1, sig_id 2009099, track by_dst, ip 23.99.86.92

                                #ET TFTP Outbound TFTP Read Request – VONAGE
                                suppress gen_id 1, sig_id 2008120

                                #ET CHAT Skype User-Agent detected
                                suppress gen_id 1, sig_id 2002157

                                #ET CHAT Skype VOIP Checking Version (Startup)
                                suppress gen_id 1, sig_id 2001595

                                #ET CHAT Suppressing all IRC alerts to the justin.tv / twitch.tv netblock 192.16.64.0/21, online game watching + irc chat service.
                                #'TROJAN IRC Private message on non-standard port',2000347
                                #'TROJAN IRC Nick change on non-standard port',2000345
                                #'TROJAN IRC Channel JOIN on non-standard port',2000348
                                suppress gen_id 1, sig_id 2000347, track by_dst, ip 192.16.64.0/21
                                suppress gen_id 1, sig_id 2000345, track by_dst, ip 192.16.64.0/21
                                suppress gen_id 1, sig_id 2000348, track by_dst, ip 192.16.64.0/21

                                #ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
                                suppress gen_id 1, sig_id 2010516

                                #ET WEB_CLIENT PDF With Embedded File
                                suppress gen_id 1, sig_id 2011507, track by_src, ip 192.104.67.214

                                #ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source) (EATON UPS SOFTWARE)
                                suppress gen_id 1, sig_id 2010525, track by_src, ip 40.143.173.102

                                #ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Tags Remote Code Execution Attempt
                                suppress gen_id 1, sig_id 2011891

                                #ET INFO EXE - OSX Disk Image Download
                                suppress gen_id 1, sig_id 2014518

                                #ET INFO EXE - Served Attached HTTP
                                suppress gen_id 1, sig_id 2014520

                                #ET INFO Packed Executable Download
                                suppress gen_id 1, sig_id 2014819

                                #ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
                                suppress gen_id 1, sig_id 2018904
                                suppress gen_id 1, sig_id 2018905
                                suppress gen_id 1, sig_id 2018906
                                suppress gen_id 1, sig_id 2018907

                                #ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
                                suppress gen_id 1, sig_id 2016149
                                suppress gen_id 1, sig_id 2016150
                                suppress gen_id 1, sig_id 2018908

                                #ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
                                suppress gen_id 1, sig_id 2012758

                                #ET INFO Suspicious Windows NT version 8 User-Agent
                                suppress gen_id 1, sig_id 2015821

                                #ET INFO Possible Phish - Saved Website Comment Observed
                                suppress gen_id 1, sig_id 2018334

                                #ET INFO .exe File requested over FTP
                                suppress gen_id 1, sig_id 2014906, track by_dst, ip 64.174.237.178

                                #ET INFO PDF Using CCITTFax Filter
                                suppress gen_id 1, sig_id 2015561

                                #ET INFO Possible Chrome Plugin install
                                suppress gen_id 1, sig_id 2016847, track by_src, ip 192.168.1.120

                                #ET POLICY Microsoft user-agent automated process response to automated request
                                suppress gen_id 1, sig_id 2012692

                                #ET POLICY External IP Lookup - checkip.dyndns.org
                                suppress gen_id 1, sig_id 2021378

                                #ET POLICY External IP Lookup ip-api.com
                                suppress gen_id 1, sig_id 2022082

                                #ET POLICY Possible IP Check api.ipify.org
                                suppress gen_id 1, sig_id 2019512

                                #ET POLICY DynDNS CheckIp External IP Address Server Response
                                suppress gen_id 1, sig_id 2014932

                                #ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
                                suppress gen_id 1, sig_id 2011227

                                #ET POLICY PE EXE or DLL Windows file download HTTP
                                suppress gen_id 1, sig_id 2018959

                                #ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted (ESET NOD)
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.36
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.37
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.38
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.39
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.40
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.13
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.14
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.16
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.15
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.88
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.21
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.22
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.23
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.24
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.25
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.26
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.132
                                suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.133

                                #ET POLICY PE EXE or DLL Windows file download HTTP (NVIDIA)
                                suppress gen_id 1, sig_id 2018959, track by_src, ip 8.36.113.133
                                suppress gen_id 1, sig_id 2018959, track by_src, ip 8.36.113.189
                                suppress gen_id 1, sig_id 2018959, track by_src, ip 8.36.120.225

                                #ET POLICY Executable served from Amazon S3
                                suppress gen_id 1, sig_id 2013414

                                #ET POLICY Pandora Usage
                                suppress gen_id 1, sig_id 2014997

                                #ET POLICY iTunes User Agent
                                suppress gen_id 1, sig_id 2002878

                                #ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
                                suppress gen_id 1, sig_id 2019416

                                #ET POLICY Executable and linking format (ELF) file download
                                suppress gen_id 1, sig_id 2000418, track by_src, ip 64.174.237.178

                                #ET POLICY Vulnerable Java Version 1.8.x Detected
                                suppress gen_id 1, sig_id 2019401, track by_src, ip 192.168.1.101

                                #ET POLICY Kindle Fire Browser User-Agent Outbound
                                suppress gen_id 1, sig_id 2014095

                                #ET SHELLCODE Possible Call with No Offset TCP Shellcode (ESET NOD)
                                suppress gen_id 1, sig_id 2012086, track by_src, ip 91.228.167.87
                                suppress gen_id 1, sig_id 2012086, track by_src, ip 91.228.166.45
                                suppress gen_id 1, sig_id 2012086, track by_src, ip 38.90.226.11
                                suppress gen_id 1, sig_id 2012086, track by_src, ip 38.90.226.12
                                suppress gen_id 1, sig_id 2012086, track by_src, ip 38.90.226.13

                                #ET SHELLCODE Possible Call with No Offset UDP Shellcode (VOIP)
                                suppress gen_id 1, sig_id 2012087, track by_src, ip 74.201.99.62

                                #ET SHELLCODE Possible Call with No Offset TCP Shellcode
                                suppress gen_id 1, sig_id 2012086, track by_src, ip 64.174.237.178

                                1 Reply Last reply Reply Quote 1
                                • A
                                  asterix
                                  last edited by

                                  After monitoring Snort for over 2 years, I am now confident on the suppression list doing no major harm to my network from outside attack. This week I moved the entire list (might have 1 or 2 more since my last post) to SID Mgmt, disablesid.conf on WAN (SID State Order: Disable Enable). This disables all the unneeded rules first before enabling the rest of the rules on Snort startup. Saves some CPU processing (don't expect miracles unless you are on P II/P III/P4 CPU). You wont see any difference on newer CPUs.

                                  Here is the simpler list for disablesid.conf. Did a random check and found them disabled. No more suppression list for now.

                                  1:536
                                  1:648
                                  1:653
                                  1:1390
                                  1:2452
                                  1:8375
                                  1:11192
                                  1:12286
                                  1:15147
                                  1:15306
                                  1:15362
                                  1:16313
                                  1:16482
                                  1:17458
                                  1:20583
                                  1:23098
                                  1:23256
                                  1:24889
                                  1:2000334
                                  1:2000419
                                  1:2003195
                                  1:2007727
                                  1:2008120
                                  1:2008578
                                  1:2010516
                                  1:2010525
                                  1:2010935
                                  1:2010937
                                  1:2011716
                                  1:2012078
                                  1:2012086-1:2012089
                                  1:2012141
                                  1:2012252
                                  1:2012758
                                  1:2013028
                                  1:2013031
                                  1:2013222
                                  1:2013414
                                  1:2013504
                                  1:2014472
                                  1:2014518
                                  1:2014520
                                  1:2014726
                                  1:2014734
                                  1:2014819
                                  1:2015561
                                  1:2015744
                                  1:2015820
                                  1:2016360
                                  1:2016877
                                  1:2017364
                                  1:2018959
                                  1:2019416
                                  1:2022913
                                  1:2100366
                                  1:2100368
                                  1:2100651
                                  1:2101390
                                  1:2101424
                                  1:2102314
                                  1:2103134
                                  1:2103192
                                  1:2402000
                                  1:2403344
                                  1:2406003
                                  1:2406067
                                  1:2406069
                                  1:2406424
                                  1:2500050
                                  1:2500056
                                  1:2520199
                                  1:2520205
                                  1:100000230
                                  3:14772
                                  3:19187
                                  3:21355
                                  119:2
                                  119:4
                                  119:7
                                  119:14
                                  119:31-119:33
                                  120:2-120:4
                                  120:6
                                  120:8-120:10
                                  122:19
                                  122:21-122:23
                                  122:26
                                  123:10
                                  124:3
                                  125:2
                                  137:1
                                  138:2-138:6
                                  141:1

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    akishore
                                    last edited by

                                    Hi Asterix,

                                    Thanks for the updated suppression list! It makes things work a lot better on my home network.

                                    I noticed your last post says you moved the list over to SID Mgmt and stopped using the suppression list. Can you explain in detail how to do this? I'm a noob and I understood the whole suppression list and how to set it up, etc., but I have no idea what disablesid.conf is, where to edit it, etc.

                                    Any help you could provide would be greatly appreciated.

                                    Also why is using this method better than the suppression list?

                                    Thanks!

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      asterix
                                      last edited by

                                      @akishore:

                                      Hi Asterix,

                                      Thanks for the updated suppression list! It makes things work a lot better on my home network.

                                      I noticed your last post says you moved the list over to SID Mgmt and stopped using the suppression list. Can you explain in detail how to do this? I'm a noob and I understood the whole suppression list and how to set it up, etc., but I have no idea what disablesid.conf is, where to edit it, etc.

                                      Any help you could provide would be greatly appreciated.

                                      See attached screenshot. Basically you go in SID Mgmt tab, enable "Enable Automatic SID State Management"and add/create a disabledsid.conf file. Once you have that added, go down below to the interface you are running Snort on (usually WAN) and reference the disabledsid.conf file under the Disable SID File column. SID State order should be "Disable,Enable"..so it will processing all the sids which are to be disabled first and then jump on to any specific sids you may have specified to be turned on using an enablesid.conf file (you can name the files what ever you feel like). Also ensure you go back to the WAN interface and remove the suppression list selected under "Alert Suppression and Filtering"  as you don't need it anymore. All your suppressed sids are now disabled to begin with so they will not be processed, hence no more alerts on them.

                                      @akishore:

                                      Also why is using this method better than the suppression list?

                                      Thanks!

                                      As I stated in the my previous post "This disables all the unneeded rules first before enabling the rest of the rules on Snort startup".. so Snort does not reference/process the disabled rules against the traffic saving some CPU time. Also since the rules are disabled before Snort starts, it saves some RAM and snort startup times are reduced…depending on how many rules you are loading and how many have been disabled of course.

                                      In the case of suppression list, the rules are still being referenced/processed and the alerts being generated are just suppressed. So there is still activity in the background but since you set it up to ignore the alerts (suppress) they are not being shown in the logs.

                                      SID.png
                                      SID.png_thumb

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        Ramosel
                                        last edited by

                                        @Asterix:

                                        As I stated in the my previous post "This disables all the unneeded rules first before enabling the rest of the rules on Snort startup"..

                                        Sweet,  doing a fresh load on new hardware so very timely too.

                                        Thanks!

                                        1 Reply Last reply Reply Quote 0
                                        • panzP
                                          panz
                                          last edited by

                                          Thank you Asterix, well done!

                                          I encountered only to "problems":

                                          1. if I download a list, it contains a lot of html code (I'm using Firefox v. 50.1.0)

                                          2. If I download all bunch of lists in gzip, the resulted file is corrupted (unpacking program: WinRAR v. 5.40 64-bit)

                                          pfSense 2.3.2-RELEASE-p1 (amd64)
                                          motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                                          1 Reply Last reply Reply Quote 0
                                          • A
                                            asterix
                                            last edited by

                                            @panz:

                                            I encountered only to "problems":

                                            1. if I download a list, it contains a lot of html code (I'm using Firefox v. 50.1.0)

                                            2. If I download all bunch of lists in gzip, the resulted file is corrupted (unpacking program: WinRAR v. 5.40 64-bit)

                                            Not sure what list you are referring to. If you mean the list above, just copy paste it directly into pfSense. https://forum.pfsense.org/index.php?topic=56267.msg665288#msg665288

                                            On another note, after moving to Suricata a couple of days ago I am noticing more FPs which I first suppressed then moved to disablesid.conf. This may be due to the fact that I restructured my entire network from L2 to L3. So pfSense lan now acts just as a transit interface and is servicing clients outside its network (with the help of gateways and static routes).

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.