Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata/Snort master SID disablesid.conf

    Scheduled Pinned Locked Moved IDS/IPS
    96 Posts 38 Posters 105.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      Yes you can add an IP or CIDR and after that include additional other syntax as required.

      9.5.3 Suppression Rules

      Suppression rules are similar in syntax to standalone threshold rules. Suppression rules can suppress alerts by signature, by source or destination address, or by an entire CIDR network block. This flexibility has considerable power. Care must be taken to only suppress the correct alerts or addresses. An administrator could inadvertently suppress legitimate alerts.

      Suppression rules are written with the following syntax:

      suppress gen_id gen-id, sid_id sid-id, track [by_src|by_dst], ip IP/MASK-BITS

      Suppress this event completely:

      suppress gen_id 1, sig_id 114

      Suppress this event from this source IP address:

      suppress gen_id 1, sig_id 114, track by_src, ip 10.2.1.154

      Suppress this event to this destination CIDR block:

      suppress gen_id 1, sig_id 114, track by_dst, ip 10.2.1.0/24

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • panzP
        panz
        last edited by

        Thanks, this is for Suppress action. Am I able to use the track by_src with the event_filter?

        Panz

        pfSense 2.3.2-RELEASE-p1 (amd64)
        motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          Yes you can add other settings after the IP address.

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • panzP
            panz
            last edited by

            @BBcan177:

            Yes you can add other settings after the IP address.

            Sorry, I didn't explain my question well. Is this row ok? :

            event_filter gen_id 123, sig_id 8, type both, track by_src, 106.188.165.67, count 10, seconds 600
            

            I'm asking because – in the examples regarding the event_filter – I can't find the "track by_src" followed by an IP address, like in the examples regarding the suppress command.

            I hope that my question is clear now.

            pfSense 2.3.2-RELEASE-p1 (amd64)
            motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              @panz:

              Sorry, I didn't explain my question well. Is this row ok? :

              event_filter gen_id 123, sig_id 8, type both, track by_src, 106.188.165.67, count 10, seconds 600
              

              After looking at the Docs, it looks like only the "Suppression" rules can use an IP where event_filter is only by src/dst…

              If you wanted to have a suppression and a event_filter, you could do the following in order:

              suppress gen_id 123, sig_id 8, track by_src, ip 106.188.165.67
              event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600

              This would suppress this sid/IP combination, and event_filter would limit any other IPs. Or you can just use the event_filter by itself.

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • panzP
                panz
                last edited by

                My intention was only to event_filter one address, my favorite AirVPN server.

                pfSense 2.3.2-RELEASE-p1 (amd64)
                motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                1 Reply Last reply Reply Quote 0
                • D
                  deanot
                  last edited by

                  The list is a good idea, BUT, we have no idea what is being suppressed.  At least I have no idea…..  Using this list literally stops everything from showing up and getting banned, is this a good idea?.  For all I know, you could have suppressed a bunch of things that should not be.

                  Listing what you suppressed would have been a better approach, I am going to avoid using this and attempt to build something that I have a clue about.

                  Not knocking your work, but as mentioned, I have no idea what you're suppressing.

                  PFSense System Specs.
                  –---------------
                  Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
                  4 CPUs: 1 package(s) x 4 core(s) 4 port HP Branded Intel Ethernet Card

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by

                    @deanot:

                    The list is a good idea, BUT, we have no idea what is being suppressed.  At least I have no idea…..  Using this list literally stops everything from showing up and getting banned, is this a good idea?.  For all I know, you could have suppressed a bunch of things that should not be.

                    Listing what you suppressed would have been a better approach, I am going to avoid using this and attempt to build something that I have a clue about.

                    Not knocking your work, but as mentioned, I have no idea what you're suppressing.

                    Thank you for pointing this out. I am a PFSense / snort newbie and just discovered this list. It improved the performance of snort, but I, too, am concerned about what it is actually doing since I am so new at this. A reply from somebody with experience would be beneficial.

                    This week I plan to remove the list, at lease temporarily, and try to make my own suppression list. It will give me a frame of reference that may enable me to figure out the donated one better.

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest
                      last edited by

                      deanot,

                      I removed the copied suppression list ans started building my own today. I'm using suppression only at this time because I'm still too new with snort and PFSense to try the rule fixes. That will come down the road in a couple of weeks.

                      FYI: It appears to take detective work to figure out what can be suppressed. Just tedious detective work.

                      For example, a 'corporate violation' appeared to be my home network doing something internally using IPv6. Seemed pretty safe to suppress. Also on the copied list.

                      An IPv4 destination address pointed at Microsoft. Google said it was in use by a company that supplies an anti-malware product I use. I assumed it was talking back to the publisher. Coded as safe.

                      I noted one before that ooma was involved with and also noted on the ooma 'ports to forward' list they publish. Allowed.

                      This must reflect the suggestion to run 'detect only' for a couple of months first. Good luck.

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmenghi
                        last edited by

                        Hi, people.

                        Im create a github repo with the list https://github.com/cristianmenghi/pfsense-snort/

                        I have a problem that snort block my access to the webConfigurator, any advice ?

                        thanks.

                        1 Reply Last reply Reply Quote 0
                        • S
                          sebna
                          last edited by

                          @cmenghi:

                          Hi, people.

                          Im create a github repo with the list https://github.com/cristianmenghi/pfsense-snort/

                          I have a problem that snort block my access to the webConfigurator, any advice ?

                          thanks.

                          I have exactly same problem using this list. Have you found lines / reason which are causing it? Otherwise list is great…

                          Can anybody advice?

                          1 Reply Last reply Reply Quote 0
                          • A
                            asterix
                            last edited by

                            Realized I had not posed my most recent suppression list. Found quiet a bit of new ones to add on the list after the recent upgrade to 2.3. I still see a few more false positives but they are not yet blocking anything critical.

                            –------------------------------------------

                            suppress gen_id 1, sig_id 536
                            suppress gen_id 1, sig_id 648
                            suppress gen_id 1, sig_id 653
                            suppress gen_id 1, sig_id 1390
                            suppress gen_id 1, sig_id 2452
                            suppress gen_id 1, sig_id 8375
                            suppress gen_id 1, sig_id 11192
                            suppress gen_id 1, sig_id 12286
                            suppress gen_id 1, sig_id 15147
                            suppress gen_id 1, sig_id 15306
                            suppress gen_id 1, sig_id 15362
                            suppress gen_id 1, sig_id 16313
                            suppress gen_id 1, sig_id 16482
                            suppress gen_id 1, sig_id 17458
                            suppress gen_id 1, sig_id 20583
                            suppress gen_id 1, sig_id 23098
                            suppress gen_id 1, sig_id 23256
                            suppress gen_id 1, sig_id 24889
                            suppress gen_id 1, sig_id 2000334
                            suppress gen_id 1, sig_id 2000419
                            suppress gen_id 1, sig_id 2003195
                            suppress gen_id 1, sig_id 2007727
                            suppress gen_id 1, sig_id 2008120
                            suppress gen_id 1, sig_id 2008578
                            suppress gen_id 1, sig_id 2010516
                            suppress gen_id 1, sig_id 2010525
                            suppress gen_id 1, sig_id 2010935
                            suppress gen_id 1, sig_id 2010937
                            suppress gen_id 1, sig_id 2011716
                            suppress gen_id 1, sig_id 2012078
                            suppress gen_id 1, sig_id 2012086
                            suppress gen_id 1, sig_id 2012087
                            suppress gen_id 1, sig_id 2012088
                            suppress gen_id 1, sig_id 2012089
                            suppress gen_id 1, sig_id 2012141
                            suppress gen_id 1, sig_id 2012252
                            suppress gen_id 1, sig_id 2012758
                            suppress gen_id 1, sig_id 2013028
                            suppress gen_id 1, sig_id 2013031
                            suppress gen_id 1, sig_id 2013222
                            suppress gen_id 1, sig_id 2013414
                            suppress gen_id 1, sig_id 2013504
                            suppress gen_id 1, sig_id 2014472
                            suppress gen_id 1, sig_id 2014518
                            suppress gen_id 1, sig_id 2014520
                            suppress gen_id 1, sig_id 2014726
                            suppress gen_id 1, sig_id 2014734
                            suppress gen_id 1, sig_id 2014819
                            suppress gen_id 1, sig_id 2015561
                            suppress gen_id 1, sig_id 2015744
                            suppress gen_id 1, sig_id 2016360
                            suppress gen_id 1, sig_id 2016877
                            suppress gen_id 1, sig_id 2017364
                            suppress gen_id 1, sig_id 2018959
                            suppress gen_id 1, sig_id 2019416
                            suppress gen_id 1, sig_id 2100366
                            suppress gen_id 1, sig_id 2100368
                            suppress gen_id 1, sig_id 2100651
                            suppress gen_id 1, sig_id 2101390
                            suppress gen_id 1, sig_id 2101424
                            suppress gen_id 1, sig_id 2102314
                            suppress gen_id 1, sig_id 2103134
                            suppress gen_id 1, sig_id 2103192
                            suppress gen_id 1, sig_id 2402000
                            suppress gen_id 1, sig_id 2403344
                            suppress gen_id 1, sig_id 2406003
                            suppress gen_id 1, sig_id 2406067
                            suppress gen_id 1, sig_id 2406069
                            suppress gen_id 1, sig_id 2406424
                            suppress gen_id 1, sig_id 2500050
                            suppress gen_id 1, sig_id 2500056
                            suppress gen_id 1, sig_id 2520199
                            suppress gen_id 1, sig_id 2520205
                            suppress gen_id 1, sig_id 100000230
                            suppress gen_id 3, sig_id 14772
                            suppress gen_id 3, sig_id 19187
                            suppress gen_id 3, sig_id 21355
                            suppress gen_id 119, sig_id 2
                            suppress gen_id 119, sig_id 4
                            suppress gen_id 119, sig_id 7
                            suppress gen_id 119, sig_id 14
                            suppress gen_id 119, sig_id 31
                            suppress gen_id 119, sig_id 32
                            suppress gen_id 119, sig_id 33
                            suppress gen_id 120, sig_id 2
                            suppress gen_id 120, sig_id 3
                            suppress gen_id 120, sig_id 4
                            suppress gen_id 120, sig_id 6
                            suppress gen_id 120, sig_id 8
                            suppress gen_id 120, sig_id 9
                            suppress gen_id 120, sig_id 10
                            suppress gen_id 122, sig_id 19
                            suppress gen_id 122, sig_id 21
                            suppress gen_id 122, sig_id 22
                            suppress gen_id 122, sig_id 23
                            suppress gen_id 122, sig_id 26
                            suppress gen_id 123, sig_id 10
                            suppress gen_id 124, sig_id 3
                            suppress gen_id 125, sig_id 2
                            suppress gen_id 137, sig_id 1
                            suppress gen_id 138, sig_id 2
                            suppress gen_id 138, sig_id 3
                            suppress gen_id 138, sig_id 4
                            suppress gen_id 138, sig_id 5
                            suppress gen_id 138, sig_id 6
                            suppress gen_id 140, sig_id 27
                            suppress gen_id 141, sig_id 1

                            1 Reply Last reply Reply Quote 0
                            • V
                              Vidmo
                              last edited by

                              For those who wish to know exactly what they are blocking and why, I present my list.

                              #GLOBAL

                              #This event is generated when an attempt is made to gain access to private resources using Samba
                              #suppress gen_id 1, sig_id 536

                              #GPL SHELLCODE x86 NOOP
                              #suppress gen_id 1, sig_id 648

                              #GPL SHELLCODE x86 0x90 unicode NOOP
                              #suppress gen_id 1, sig_id 653

                              #This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines.
                              suppress gen_id 1, sig_id 1390
                              suppress gen_id 1, sig_id 2452
                              suppress gen_id 1, sig_id 8375

                              #This event is generated when network traffic that indicates download of executable content is being used.
                              suppress gen_id 1, sig_id 11192

                              #This rule generates events when a portable executable file is downloaded
                              suppress gen_id 1, sig_id 15306

                              #FILE-IDENTIFY download of executable content - x-header -> stops windows download
                              suppress gen_id 1, sig_id 16313

                              #This event is generated when an attempt is made to exploit a known vulnerability in internet security.
                              suppress gen_id 1, sig_id 17458

                              #This event is generated when an attempt is made to exploit a known vulnerability in firefox.
                              suppress gen_id 1, sig_id 20583

                              #This event is generated when an attempt is made to exploit a known vulnerability in adobe air.
                              suppress gen_id 1, sig_id 23098

                              #GPL ICMP_INFO PING *NIX
                              suppress gen_id 1, sig_id 2100366

                              #GPL ICMP_INFO
                              suppress gen_id 1, sig_id 2100368

                              #GPL SHELLCODE x86 stealth NOOP
                              suppress gen_id 1, sig_id 2100651
                              suppress gen_id 1, sig_id 2101390

                              #GPL SHELLCODE x86 0xEB0C NOOP
                              suppress gen_id 1, sig_id 2101424
                              suppress gen_id 1, sig_id 2102314
                              suppress gen_id 1, sig_id 2103134
                              suppress gen_id 1, sig_id 2500056
                              suppress gen_id 1, sig_id 100000230

                              #GPL WEB_CLIENT PNG large colour depth download attempt
                              suppress gen_id 1, sig_id 2103134

                              #WEB-CLIENT libpng malformed chunk denial of service attempt
                              suppress gen_id 3, sig_id 14772

                              #(http_inspect) DOUBLE DECODING ATTACK
                              suppress gen_id 119, sig_id 2

                              #(http_inspect) BARE BYTE UNICODE ENCODING
                              suppress gen_id 119, sig_id 4

                              #(http_inspect) IIS UNICODE CODEPOINT ENCODING
                              suppress gen_id 119, sig_id 7

                              #(http_inspect) NON-RFC DEFINED CHAR [**]
                              suppress gen_id 119, sig_id 14

                              #(http_inspect) UNKNOWN METHOD
                              suppress gen_id 119, sig_id 31

                              #(http_inspect) SIMPLE REQUEST
                              suppress gen_id 119, sig_id 32

                              #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
                              suppress gen_id 120, sig_id 2
                              suppress gen_id 120, sig_id 3

                              #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
                              suppress gen_id 120, sig_id 4

                              #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
                              suppress gen_id 120, sig_id 6

                              #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
                              suppress gen_id 120, sig_id 8

                              #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
                              suppress gen_id 120, sig_id 9

                              #(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
                              suppress gen_id 120, sig_id 10

                              #(smtp) Attempted response buffer overflow: 1448 chars
                              suppress gen_id 124, sig_id 3

                              #(ftp_telnet) Invalid FTP Command
                              suppress gen_id 125, sig_id 2

                              #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
                              suppress gen_id 137, sig_id 1

                              #(IMAP) Unknown IMAP4 command
                              suppress gen_id 141, sig_id 1

                              #(http_inspect) UNESCAPED SPACE IN HTTP URI
                              suppress gen_id 119, sig_id 33

                              #ET P2P BitTorrent peer sync
                              suppress gen_id 1, sig_id 2000334

                              #ET P2P ThunderNetwork UDP Traffic (MS Azure)
                              suppress gen_id 1, sig_id 2009099, track by_dst, ip 23.99.86.92

                              #ET TFTP Outbound TFTP Read Request – VONAGE
                              suppress gen_id 1, sig_id 2008120

                              #ET CHAT Skype User-Agent detected
                              suppress gen_id 1, sig_id 2002157

                              #ET CHAT Skype VOIP Checking Version (Startup)
                              suppress gen_id 1, sig_id 2001595

                              #ET CHAT Suppressing all IRC alerts to the justin.tv / twitch.tv netblock 192.16.64.0/21, online game watching + irc chat service.
                              #'TROJAN IRC Private message on non-standard port',2000347
                              #'TROJAN IRC Nick change on non-standard port',2000345
                              #'TROJAN IRC Channel JOIN on non-standard port',2000348
                              suppress gen_id 1, sig_id 2000347, track by_dst, ip 192.16.64.0/21
                              suppress gen_id 1, sig_id 2000345, track by_dst, ip 192.16.64.0/21
                              suppress gen_id 1, sig_id 2000348, track by_dst, ip 192.16.64.0/21

                              #ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
                              suppress gen_id 1, sig_id 2010516

                              #ET WEB_CLIENT PDF With Embedded File
                              suppress gen_id 1, sig_id 2011507, track by_src, ip 192.104.67.214

                              #ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source) (EATON UPS SOFTWARE)
                              suppress gen_id 1, sig_id 2010525, track by_src, ip 40.143.173.102

                              #ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Tags Remote Code Execution Attempt
                              suppress gen_id 1, sig_id 2011891

                              #ET INFO EXE - OSX Disk Image Download
                              suppress gen_id 1, sig_id 2014518

                              #ET INFO EXE - Served Attached HTTP
                              suppress gen_id 1, sig_id 2014520

                              #ET INFO Packed Executable Download
                              suppress gen_id 1, sig_id 2014819

                              #ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
                              suppress gen_id 1, sig_id 2018904
                              suppress gen_id 1, sig_id 2018905
                              suppress gen_id 1, sig_id 2018906
                              suppress gen_id 1, sig_id 2018907

                              #ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
                              suppress gen_id 1, sig_id 2016149
                              suppress gen_id 1, sig_id 2016150
                              suppress gen_id 1, sig_id 2018908

                              #ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
                              suppress gen_id 1, sig_id 2012758

                              #ET INFO Suspicious Windows NT version 8 User-Agent
                              suppress gen_id 1, sig_id 2015821

                              #ET INFO Possible Phish - Saved Website Comment Observed
                              suppress gen_id 1, sig_id 2018334

                              #ET INFO .exe File requested over FTP
                              suppress gen_id 1, sig_id 2014906, track by_dst, ip 64.174.237.178

                              #ET INFO PDF Using CCITTFax Filter
                              suppress gen_id 1, sig_id 2015561

                              #ET INFO Possible Chrome Plugin install
                              suppress gen_id 1, sig_id 2016847, track by_src, ip 192.168.1.120

                              #ET POLICY Microsoft user-agent automated process response to automated request
                              suppress gen_id 1, sig_id 2012692

                              #ET POLICY External IP Lookup - checkip.dyndns.org
                              suppress gen_id 1, sig_id 2021378

                              #ET POLICY External IP Lookup ip-api.com
                              suppress gen_id 1, sig_id 2022082

                              #ET POLICY Possible IP Check api.ipify.org
                              suppress gen_id 1, sig_id 2019512

                              #ET POLICY DynDNS CheckIp External IP Address Server Response
                              suppress gen_id 1, sig_id 2014932

                              #ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
                              suppress gen_id 1, sig_id 2011227

                              #ET POLICY PE EXE or DLL Windows file download HTTP
                              suppress gen_id 1, sig_id 2018959

                              #ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted (ESET NOD)
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.36
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.37
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.38
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.39
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.40
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.13
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.14
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.16
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.15
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.88
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.21
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.22
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.23
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.24
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.25
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.26
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.132
                              suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.133

                              #ET POLICY PE EXE or DLL Windows file download HTTP (NVIDIA)
                              suppress gen_id 1, sig_id 2018959, track by_src, ip 8.36.113.133
                              suppress gen_id 1, sig_id 2018959, track by_src, ip 8.36.113.189
                              suppress gen_id 1, sig_id 2018959, track by_src, ip 8.36.120.225

                              #ET POLICY Executable served from Amazon S3
                              suppress gen_id 1, sig_id 2013414

                              #ET POLICY Pandora Usage
                              suppress gen_id 1, sig_id 2014997

                              #ET POLICY iTunes User Agent
                              suppress gen_id 1, sig_id 2002878

                              #ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
                              suppress gen_id 1, sig_id 2019416

                              #ET POLICY Executable and linking format (ELF) file download
                              suppress gen_id 1, sig_id 2000418, track by_src, ip 64.174.237.178

                              #ET POLICY Vulnerable Java Version 1.8.x Detected
                              suppress gen_id 1, sig_id 2019401, track by_src, ip 192.168.1.101

                              #ET POLICY Kindle Fire Browser User-Agent Outbound
                              suppress gen_id 1, sig_id 2014095

                              #ET SHELLCODE Possible Call with No Offset TCP Shellcode (ESET NOD)
                              suppress gen_id 1, sig_id 2012086, track by_src, ip 91.228.167.87
                              suppress gen_id 1, sig_id 2012086, track by_src, ip 91.228.166.45
                              suppress gen_id 1, sig_id 2012086, track by_src, ip 38.90.226.11
                              suppress gen_id 1, sig_id 2012086, track by_src, ip 38.90.226.12
                              suppress gen_id 1, sig_id 2012086, track by_src, ip 38.90.226.13

                              #ET SHELLCODE Possible Call with No Offset UDP Shellcode (VOIP)
                              suppress gen_id 1, sig_id 2012087, track by_src, ip 74.201.99.62

                              #ET SHELLCODE Possible Call with No Offset TCP Shellcode
                              suppress gen_id 1, sig_id 2012086, track by_src, ip 64.174.237.178

                              1 Reply Last reply Reply Quote 1
                              • A
                                asterix
                                last edited by

                                After monitoring Snort for over 2 years, I am now confident on the suppression list doing no major harm to my network from outside attack. This week I moved the entire list (might have 1 or 2 more since my last post) to SID Mgmt, disablesid.conf on WAN (SID State Order: Disable Enable). This disables all the unneeded rules first before enabling the rest of the rules on Snort startup. Saves some CPU processing (don't expect miracles unless you are on P II/P III/P4 CPU). You wont see any difference on newer CPUs.

                                Here is the simpler list for disablesid.conf. Did a random check and found them disabled. No more suppression list for now.

                                1:536
                                1:648
                                1:653
                                1:1390
                                1:2452
                                1:8375
                                1:11192
                                1:12286
                                1:15147
                                1:15306
                                1:15362
                                1:16313
                                1:16482
                                1:17458
                                1:20583
                                1:23098
                                1:23256
                                1:24889
                                1:2000334
                                1:2000419
                                1:2003195
                                1:2007727
                                1:2008120
                                1:2008578
                                1:2010516
                                1:2010525
                                1:2010935
                                1:2010937
                                1:2011716
                                1:2012078
                                1:2012086-1:2012089
                                1:2012141
                                1:2012252
                                1:2012758
                                1:2013028
                                1:2013031
                                1:2013222
                                1:2013414
                                1:2013504
                                1:2014472
                                1:2014518
                                1:2014520
                                1:2014726
                                1:2014734
                                1:2014819
                                1:2015561
                                1:2015744
                                1:2015820
                                1:2016360
                                1:2016877
                                1:2017364
                                1:2018959
                                1:2019416
                                1:2022913
                                1:2100366
                                1:2100368
                                1:2100651
                                1:2101390
                                1:2101424
                                1:2102314
                                1:2103134
                                1:2103192
                                1:2402000
                                1:2403344
                                1:2406003
                                1:2406067
                                1:2406069
                                1:2406424
                                1:2500050
                                1:2500056
                                1:2520199
                                1:2520205
                                1:100000230
                                3:14772
                                3:19187
                                3:21355
                                119:2
                                119:4
                                119:7
                                119:14
                                119:31-119:33
                                120:2-120:4
                                120:6
                                120:8-120:10
                                122:19
                                122:21-122:23
                                122:26
                                123:10
                                124:3
                                125:2
                                137:1
                                138:2-138:6
                                141:1

                                1 Reply Last reply Reply Quote 0
                                • A
                                  akishore
                                  last edited by

                                  Hi Asterix,

                                  Thanks for the updated suppression list! It makes things work a lot better on my home network.

                                  I noticed your last post says you moved the list over to SID Mgmt and stopped using the suppression list. Can you explain in detail how to do this? I'm a noob and I understood the whole suppression list and how to set it up, etc., but I have no idea what disablesid.conf is, where to edit it, etc.

                                  Any help you could provide would be greatly appreciated.

                                  Also why is using this method better than the suppression list?

                                  Thanks!

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    asterix
                                    last edited by

                                    @akishore:

                                    Hi Asterix,

                                    Thanks for the updated suppression list! It makes things work a lot better on my home network.

                                    I noticed your last post says you moved the list over to SID Mgmt and stopped using the suppression list. Can you explain in detail how to do this? I'm a noob and I understood the whole suppression list and how to set it up, etc., but I have no idea what disablesid.conf is, where to edit it, etc.

                                    Any help you could provide would be greatly appreciated.

                                    See attached screenshot. Basically you go in SID Mgmt tab, enable "Enable Automatic SID State Management"and add/create a disabledsid.conf file. Once you have that added, go down below to the interface you are running Snort on (usually WAN) and reference the disabledsid.conf file under the Disable SID File column. SID State order should be "Disable,Enable"..so it will processing all the sids which are to be disabled first and then jump on to any specific sids you may have specified to be turned on using an enablesid.conf file (you can name the files what ever you feel like). Also ensure you go back to the WAN interface and remove the suppression list selected under "Alert Suppression and Filtering"  as you don't need it anymore. All your suppressed sids are now disabled to begin with so they will not be processed, hence no more alerts on them.

                                    @akishore:

                                    Also why is using this method better than the suppression list?

                                    Thanks!

                                    As I stated in the my previous post "This disables all the unneeded rules first before enabling the rest of the rules on Snort startup".. so Snort does not reference/process the disabled rules against the traffic saving some CPU time. Also since the rules are disabled before Snort starts, it saves some RAM and snort startup times are reduced…depending on how many rules you are loading and how many have been disabled of course.

                                    In the case of suppression list, the rules are still being referenced/processed and the alerts being generated are just suppressed. So there is still activity in the background but since you set it up to ignore the alerts (suppress) they are not being shown in the logs.

                                    SID.png
                                    SID.png_thumb

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      Ramosel
                                      last edited by

                                      @Asterix:

                                      As I stated in the my previous post "This disables all the unneeded rules first before enabling the rest of the rules on Snort startup"..

                                      Sweet,  doing a fresh load on new hardware so very timely too.

                                      Thanks!

                                      1 Reply Last reply Reply Quote 0
                                      • panzP
                                        panz
                                        last edited by

                                        Thank you Asterix, well done!

                                        I encountered only to "problems":

                                        1. if I download a list, it contains a lot of html code (I'm using Firefox v. 50.1.0)

                                        2. If I download all bunch of lists in gzip, the resulted file is corrupted (unpacking program: WinRAR v. 5.40 64-bit)

                                        pfSense 2.3.2-RELEASE-p1 (amd64)
                                        motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          asterix
                                          last edited by

                                          @panz:

                                          I encountered only to "problems":

                                          1. if I download a list, it contains a lot of html code (I'm using Firefox v. 50.1.0)

                                          2. If I download all bunch of lists in gzip, the resulted file is corrupted (unpacking program: WinRAR v. 5.40 64-bit)

                                          Not sure what list you are referring to. If you mean the list above, just copy paste it directly into pfSense. https://forum.pfsense.org/index.php?topic=56267.msg665288#msg665288

                                          On another note, after moving to Suricata a couple of days ago I am noticing more FPs which I first suppressed then moved to disablesid.conf. This may be due to the fact that I restructured my entire network from L2 to L3. So pfSense lan now acts just as a transit interface and is servicing clients outside its network (with the help of gateways and static routes).

                                          1 Reply Last reply Reply Quote 0
                                          • panzP
                                            panz
                                            last edited by

                                            I'm talking about the little icon that shows the description "download this SID mods list file"in the SID mgmt section: if you open the downloaded file it's not a text file

                                            pfSense 2.3.2-RELEASE-p1 (amd64)
                                            motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.