Suricata/Snort master SID disablesid.conf

Vidmo

For those who wish to know exactly what they are blocking and why, I present my list.

#GLOBAL

#This event is generated when an attempt is made to gain access to private resources using Samba
#suppress gen_id 1, sig_id 536

#GPL SHELLCODE x86 NOOP
#suppress gen_id 1, sig_id 648

#GPL SHELLCODE x86 0x90 unicode NOOP
#suppress gen_id 1, sig_id 653

#This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines.
suppress gen_id 1, sig_id 1390
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 8375

#This event is generated when network traffic that indicates download of executable content is being used.
suppress gen_id 1, sig_id 11192

#This rule generates events when a portable executable file is downloaded
suppress gen_id 1, sig_id 15306

#FILE-IDENTIFY download of executable content - x-header -> stops windows download
suppress gen_id 1, sig_id 16313

#This event is generated when an attempt is made to exploit a known vulnerability in internet security.
suppress gen_id 1, sig_id 17458

#This event is generated when an attempt is made to exploit a known vulnerability in firefox.
suppress gen_id 1, sig_id 20583

#This event is generated when an attempt is made to exploit a known vulnerability in adobe air.
suppress gen_id 1, sig_id 23098

#GPL ICMP_INFO PING *NIX
suppress gen_id 1, sig_id 2100366

#GPL ICMP_INFO
suppress gen_id 1, sig_id 2100368

#GPL SHELLCODE x86 stealth NOOP
suppress gen_id 1, sig_id 2100651
suppress gen_id 1, sig_id 2101390

#GPL SHELLCODE x86 0xEB0C NOOP
suppress gen_id 1, sig_id 2101424
suppress gen_id 1, sig_id 2102314
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2500056
suppress gen_id 1, sig_id 100000230

#GPL WEB_CLIENT PNG large colour depth download attempt
suppress gen_id 1, sig_id 2103134

#WEB-CLIENT libpng malformed chunk denial of service attempt
suppress gen_id 3, sig_id 14772

#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2

#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4

#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7

#(http_inspect) NON-RFC DEFINED CHAR [**]
suppress gen_id 119, sig_id 14

#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31

#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32

#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 2
suppress gen_id 120, sig_id 3

#(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
suppress gen_id 120, sig_id 4

#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6

#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8

#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
suppress gen_id 120, sig_id 9

#(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
suppress gen_id 120, sig_id 10

#(smtp) Attempted response buffer overflow: 1448 chars
suppress gen_id 124, sig_id 3

#(ftp_telnet) Invalid FTP Command
suppress gen_id 125, sig_id 2

#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1

#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1

#(http_inspect) UNESCAPED SPACE IN HTTP URI
suppress gen_id 119, sig_id 33

#ET P2P BitTorrent peer sync
suppress gen_id 1, sig_id 2000334

#ET P2P ThunderNetwork UDP Traffic (MS Azure)
suppress gen_id 1, sig_id 2009099, track by_dst, ip 23.99.86.92

#ET TFTP Outbound TFTP Read Request – VONAGE
suppress gen_id 1, sig_id 2008120

#ET CHAT Skype User-Agent detected
suppress gen_id 1, sig_id 2002157

#ET CHAT Skype VOIP Checking Version (Startup)
suppress gen_id 1, sig_id 2001595

#ET CHAT Suppressing all IRC alerts to the justin.tv / twitch.tv netblock 192.16.64.0/21, online game watching + irc chat service.
#'TROJAN IRC Private message on non-standard port',2000347
#'TROJAN IRC Nick change on non-standard port',2000345
#'TROJAN IRC Channel JOIN on non-standard port',2000348
suppress gen_id 1, sig_id 2000347, track by_dst, ip 192.16.64.0/21
suppress gen_id 1, sig_id 2000345, track by_dst, ip 192.16.64.0/21
suppress gen_id 1, sig_id 2000348, track by_dst, ip 192.16.64.0/21

#ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
suppress gen_id 1, sig_id 2010516

#ET WEB_CLIENT PDF With Embedded File
suppress gen_id 1, sig_id 2011507, track by_src, ip 192.104.67.214

#ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source) (EATON UPS SOFTWARE)
suppress gen_id 1, sig_id 2010525, track by_src, ip 40.143.173.102

#ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Tags Remote Code Execution Attempt
suppress gen_id 1, sig_id 2011891

#ET INFO EXE - OSX Disk Image Download
suppress gen_id 1, sig_id 2014518

#ET INFO EXE - Served Attached HTTP
suppress gen_id 1, sig_id 2014520

#ET INFO Packed Executable Download
suppress gen_id 1, sig_id 2014819

#ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
suppress gen_id 1, sig_id 2018904
suppress gen_id 1, sig_id 2018905
suppress gen_id 1, sig_id 2018906
suppress gen_id 1, sig_id 2018907

#ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
suppress gen_id 1, sig_id 2016149
suppress gen_id 1, sig_id 2016150
suppress gen_id 1, sig_id 2018908

#ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
suppress gen_id 1, sig_id 2012758

#ET INFO Suspicious Windows NT version 8 User-Agent
suppress gen_id 1, sig_id 2015821

#ET INFO Possible Phish - Saved Website Comment Observed
suppress gen_id 1, sig_id 2018334

#ET INFO .exe File requested over FTP
suppress gen_id 1, sig_id 2014906, track by_dst, ip 64.174.237.178

#ET INFO PDF Using CCITTFax Filter
suppress gen_id 1, sig_id 2015561

#ET INFO Possible Chrome Plugin install
suppress gen_id 1, sig_id 2016847, track by_src, ip 192.168.1.120

#ET POLICY Microsoft user-agent automated process response to automated request
suppress gen_id 1, sig_id 2012692

#ET POLICY External IP Lookup - checkip.dyndns.org
suppress gen_id 1, sig_id 2021378

#ET POLICY External IP Lookup ip-api.com
suppress gen_id 1, sig_id 2022082

#ET POLICY Possible IP Check api.ipify.org
suppress gen_id 1, sig_id 2019512

#ET POLICY DynDNS CheckIp External IP Address Server Response
suppress gen_id 1, sig_id 2014932

#ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
suppress gen_id 1, sig_id 2011227

#ET POLICY PE EXE or DLL Windows file download HTTP
suppress gen_id 1, sig_id 2018959

#ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted (ESET NOD)
suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.36
suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.37
suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.38
suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.39
suppress gen_id 1, sig_id 2006380, track by_dst, ip 38.90.226.40
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.13
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.14
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.16
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.15
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.166.88
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.21
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.22
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.23
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.24
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.25
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.26
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.132
suppress gen_id 1, sig_id 2006380, track by_dst, ip 91.228.167.133

#ET POLICY PE EXE or DLL Windows file download HTTP (NVIDIA)
suppress gen_id 1, sig_id 2018959, track by_src, ip 8.36.113.133
suppress gen_id 1, sig_id 2018959, track by_src, ip 8.36.113.189
suppress gen_id 1, sig_id 2018959, track by_src, ip 8.36.120.225

#ET POLICY Executable served from Amazon S3
suppress gen_id 1, sig_id 2013414

#ET POLICY Pandora Usage
suppress gen_id 1, sig_id 2014997

#ET POLICY iTunes User Agent
suppress gen_id 1, sig_id 2002878

#ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
suppress gen_id 1, sig_id 2019416

#ET POLICY Executable and linking format (ELF) file download
suppress gen_id 1, sig_id 2000418, track by_src, ip 64.174.237.178

#ET POLICY Vulnerable Java Version 1.8.x Detected
suppress gen_id 1, sig_id 2019401, track by_src, ip 192.168.1.101

#ET POLICY Kindle Fire Browser User-Agent Outbound
suppress gen_id 1, sig_id 2014095

#ET SHELLCODE Possible Call with No Offset TCP Shellcode (ESET NOD)
suppress gen_id 1, sig_id 2012086, track by_src, ip 91.228.167.87
suppress gen_id 1, sig_id 2012086, track by_src, ip 91.228.166.45
suppress gen_id 1, sig_id 2012086, track by_src, ip 38.90.226.11
suppress gen_id 1, sig_id 2012086, track by_src, ip 38.90.226.12
suppress gen_id 1, sig_id 2012086, track by_src, ip 38.90.226.13

#ET SHELLCODE Possible Call with No Offset UDP Shellcode (VOIP)
suppress gen_id 1, sig_id 2012087, track by_src, ip 74.201.99.62

#ET SHELLCODE Possible Call with No Offset TCP Shellcode
suppress gen_id 1, sig_id 2012086, track by_src, ip 64.174.237.178

asterix

After monitoring Snort for over 2 years, I am now confident on the suppression list doing no major harm to my network from outside attack. This week I moved the entire list (might have 1 or 2 more since my last post) to SID Mgmt, disablesid.conf on WAN (SID State Order: Disable Enable). This disables all the unneeded rules first before enabling the rest of the rules on Snort startup. Saves some CPU processing (don't expect miracles unless you are on P II/P III/P4 CPU). You wont see any difference on newer CPUs.

Here is the simpler list for disablesid.conf. Did a random check and found them disabled. No more suppression list for now.

1:536
1:648
1:653
1:1390
1:2452
1:8375
1:11192
1:12286
1:15147
1:15306
1:15362
1:16313
1:16482
1:17458
1:20583
1:23098
1:23256
1:24889
1:2000334
1:2000419
1:2003195
1:2007727
1:2008120
1:2008578
1:2010516
1:2010525
1:2010935
1:2010937
1:2011716
1:2012078
1:2012086-1:2012089
1:2012141
1:2012252
1:2012758
1:2013028
1:2013031
1:2013222
1:2013414
1:2013504
1:2014472
1:2014518
1:2014520
1:2014726
1:2014734
1:2014819
1:2015561
1:2015744
1:2015820
1:2016360
1:2016877
1:2017364
1:2018959
1:2019416
1:2022913
1:2100366
1:2100368
1:2100651
1:2101390
1:2101424
1:2102314
1:2103134
1:2103192
1:2402000
1:2403344
1:2406003
1:2406067
1:2406069
1:2406424
1:2500050
1:2500056
1:2520199
1:2520205
1:100000230
3:14772
3:19187
3:21355
119:2
119:4
119:7
119:14
119:31-119:33
120:2-120:4
120:6
120:8-120:10
122:19
122:21-122:23
122:26
123:10
124:3
125:2
137:1
138:2-138:6
141:1

akishore

Hi Asterix,

Thanks for the updated suppression list! It makes things work a lot better on my home network.

I noticed your last post says you moved the list over to SID Mgmt and stopped using the suppression list. Can you explain in detail how to do this? I'm a noob and I understood the whole suppression list and how to set it up, etc., but I have no idea what disablesid.conf is, where to edit it, etc.

Any help you could provide would be greatly appreciated.

Also why is using this method better than the suppression list?

Thanks!

asterix

@akishore:

Hi Asterix,

Thanks for the updated suppression list! It makes things work a lot better on my home network.

I noticed your last post says you moved the list over to SID Mgmt and stopped using the suppression list. Can you explain in detail how to do this? I'm a noob and I understood the whole suppression list and how to set it up, etc., but I have no idea what disablesid.conf is, where to edit it, etc.

Any help you could provide would be greatly appreciated.

See attached screenshot. Basically you go in SID Mgmt tab, enable "Enable Automatic SID State Management"and add/create a disabledsid.conf file. Once you have that added, go down below to the interface you are running Snort on (usually WAN) and reference the disabledsid.conf file under the Disable SID File column. SID State order should be "Disable,Enable"..so it will processing all the sids which are to be disabled first and then jump on to any specific sids you may have specified to be turned on using an enablesid.conf file (you can name the files what ever you feel like). Also ensure you go back to the WAN interface and remove the suppression list selected under "Alert Suppression and Filtering"  as you don't need it anymore. All your suppressed sids are now disabled to begin with so they will not be processed, hence no more alerts on them.

@akishore:

Also why is using this method better than the suppression list?

Thanks!

As I stated in the my previous post "This disables all the unneeded rules first before enabling the rest of the rules on Snort startup".. so Snort does not reference/process the disabled rules against the traffic saving some CPU time. Also since the rules are disabled before Snort starts, it saves some RAM and snort startup times are reduced…depending on how many rules you are loading and how many have been disabled of course.

In the case of suppression list, the rules are still being referenced/processed and the alerts being generated are just suppressed. So there is still activity in the background but since you set it up to ignore the alerts (suppress) they are not being shown in the logs.

Ramosel

@Asterix:

As I stated in the my previous post "This disables all the unneeded rules first before enabling the rest of the rules on Snort startup"..

Sweet,  doing a fresh load on new hardware so very timely too.

Thanks!

panz

Thank you Asterix, well done!

I encountered only to "problems":

1. if I download a list, it contains a lot of html code (I'm using Firefox v. 50.1.0)

2. If I download all bunch of lists in gzip, the resulted file is corrupted (unpacking program: WinRAR v. 5.40 64-bit)

asterix

@panz:

I encountered only to "problems":

1. if I download a list, it contains a lot of html code (I'm using Firefox v. 50.1.0)

2. If I download all bunch of lists in gzip, the resulted file is corrupted (unpacking program: WinRAR v. 5.40 64-bit)

Not sure what list you are referring to. If you mean the list above, just copy paste it directly into pfSense. https://forum.pfsense.org/index.php?topic=56267.msg665288#msg665288

On another note, after moving to Suricata a couple of days ago I am noticing more FPs which I first suppressed then moved to disablesid.conf. This may be due to the fact that I restructured my entire network from L2 to L3. So pfSense lan now acts just as a transit interface and is servicing clients outside its network (with the help of gateways and static routes).

panz

I'm talking about the little icon that shows the description "download this SID mods list file"in the SID mgmt section: if you open the downloaded file it's not a text file

bmeeks

@panz:

I'm talking about the little icon that shows the description "download this SID mods list file"in the SID mgmt section: if you open the downloaded file it's not a text file

This may a lingering bug from the Bootstrap conversion, or it might be peculiar to Firefox.  Have you another browser to try such as Chrome or Internet Explorer?  If it persists with other browsers, I will look at getting it fixed in the next Snort package update.

In the meantime, you can download the files outside of the GUI using something like WinSCP on Windows to perform a secure copy (SSH) operation.  The files live in the /var/db/suricata/sidmods directory on the firewall.

Bill

panz

It's the same with Google Chrome; moreover the "Download" button (which is supposed to download all the lists in a single bzip file) generates a corrupted archive.

doktornotor

The download button seems to work normally here with Suricata at least. The individual files have HTML crap appended.

@bmeeks: You might try something like this, I recall that was working pretty well: https://github.com/pfsense/pfsense-packages/blob/master/config/tftp2/tftp_files.php#L52

bmeeks

@doktornotor:

The download button seems to work normally here with Suricata at least. The individual files have HTML crap appended.

@bmeeks: You might try something like this, I recall that was working pretty well: https://github.com/pfsense/pfsense-packages/blob/master/config/tftp2/tftp_files.php#L52

Thanks!  I will put looking into this problem on todo list for Snort.  This may be caused by some changes to the underlying web server in newer pfSense versions.  I have not touched that particular code in Snort for a very long time (well before the change in the web server engine on the firewall).

Bill

uptownVagrant

I'm running into a strange issue when using a disablesid.conf file, contents included below, the SIDs are not being disabled, I still see them triggering alerts, and when I check the rules in the snort interface I see "{$textse}"; " preceding SIDs that were specified in servers-disablesid.conf.  See attachment

I've tried removing all of the comments in the conf file and rebuilding without luck.  Has anyone else run into this?

# servers-disablesid.conf

# DELETED NETBIOS SMB D$ share access
1:536

# INDICATOR-SHELLCODE x86 NOOP
1:648

# DELETED SHELLCODE x86 0x90 unicode NOOP
1:653

# INDICATOR-SHELLCODE x86 inc ebx NOOP
1:1390

# POLICY-SOCIAL Yahoo IM ping
1:2452

# BROWSER-PLUGINS QuickTime Object ActiveX clsid access
1:8375

# FILE-EXECUTABLE download of executable content
1:11192

# FILE-OTHER PCRE character class heap buffer overflow attempt
1:12286

# BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt
1:15147

# FILE-EXECUTABLE Portable Executable binary file magic detected
1:15306

# INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack
1:15362

# FILE-EXECUTABLE download of executable content
1:16313

# BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
1:16482

# FILE-OTHER BitDefender Internet Security script code execution attempt
1:17458

# BROWSER-FIREFOX Mozilla multiple location headers malicious redirect attempt
1:20583

# FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt
1:23098

# FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
1:23256

# FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt
1:24889

# ET P2P BitTorrent peer sync
1:2000334

# ET POLICY PE EXE or DLL Windows file download
1:2000419

# ET POLICY Unusual number of DNS No Such Name Responses
1:2003195

# ET P2P possible torrent download
1:2007727

# ET TFTP Outbound TFTP Read Request
1:2008120

# ET SCAN Sipvicious Scan
1:2008578

# ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
1:2010516

# ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
1:2010525

# ET POLICY Suspicious inbound to MSSQL port 1433
1:2010935

# ET POLICY Suspicious inbound to mySQL port 3306
1:2010937

# ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
1:2011716

# ET POLICY Windows-Based OpenSSL Tunnel Outbound
1:2012078

# ET DELETED Possible Call with No Offset TCP Shellcode
1:2012086

# ET SHELLCODE Possible Call with No Offset UDP Shellcode
1:2012087

# ET SHELLCODE Possible Call with No Offset TCP Shellcode
1:2012088

# ET SHELLCODE Possible Call with No Offset UDP Shellcode
1:2012089

# ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active
1:2012141

# ET SHELLCODE Common 0a0a0a0a Heap Spray String
1:2012252

# ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
1:2012758

# ET POLICY curl User-Agent Outbound
1:2013028

# ET POLICY Python-urllib/ Suspicious User Agent
1:2013031

# ET DELETED Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
1:2013222

# ET POLICY Executable served from Amazon S3
1:2013414

# ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
1:2013504

# ET INFO JAVA - Java Archive Download
1:2014472

# ET INFO EXE - OSX Disk Image Download
1:2014518

# ET INFO EXE - Served Attached HTTP
1:2014520

# ET POLICY Outdated Windows Flash Version IE
1:2014726

# ET P2P BitTorrent - Torrent File Downloaded
1:2014734

# ET INFO Packed Executable Download
1:2014819

# ET INFO PDF Using CCITTFax Filter
1:2015561

# ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
1:2015744

# ET INFO Suspicious Windows NT version 7 User-Agent
1:2015820

# ET INFO JAVA - ClassID
1:2016360

# ET POLICY Unsupported/Fake FireFox Version 2.
1:2016877

# ET INFO SUSPCIOUS Non-standard base64 charset used for encoding
1:2017364

# ET POLICY PE EXE or DLL Windows file download HTTP
1:2018959

# ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
1:2019416

# ET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnel
1:2022913

# NOT FOUND IN RULES
1:2100366
1:2100368
1:2100651
1:2101390
1:2101424
1:2102314
1:2103134
1:2103192

# ET DROP Dshield Block Listed Source group 1
1:2402000

# ET CINS Active Threat Intelligence Poor Reputation IP TCP group 23
1:2403344

# NOT FOUND IN RULES
1:2406003
1:2406067
1:2406069
1:2406424

# ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 26
1:2500050

# ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 29
1:2500056

# NOT FOUND IN RULES
1:2520199
1:2520205
1:100000230

# FILE-IMAGE libpng malformed chunk denial of service attempt
3:14772

# PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
3:19187

# PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid
3:21355

# HI_CLIENT_DOUBLE_DECODE
119:2

# HI_CLIENT_BARE_BYTE
119:4

# HI_CLIENT_IIS_UNICODE
119:7

# HI_CLIENT_NON_RFC_CHAR
119:14

# HI_CLIENT_UNKNOWN_METHOD
119:31

# HI_CLIENT_SIMPLE_REQUEST
119:32

# HI_CLIENT_UNESCAPED_SPACE_IN_URI
119:33

# HI_SERVER_INVALID_STATCODE
120:2

# HI_SERVER_NO_CONTLEN
120:3

# HI_SERVER_UTF_NORM_FAIL
120:4

# HI_SERVER_DECOMPR_FAILED
120:6

# HI_CLISRV_MSG_SIZE_EXCEPTION
120:8

# HI_SERVER_JS_OBFUSCATION_EXCD
120:9

# HI_SERVER_JS_EXCESS_WS
120:10

# HI_SERVER_JS_EXCESS_WS
122:19

# PSNG_UDP_FILTERED_PORTSCAN
122:21

# PSNG_UDP_FILTERED_DECOY_PORTSCAN
122:22

#PSNG_UDP_PORTSWEEP_FILTERED
122:23

# PSNG_ICMP_PORTSWEEP_FILTERED
122:26

# FRAG3_IPV6_BAD_FRAG_PKT
123:10

# SMTP_RESPONSE_OVERFLOW
124:3

# FTPP_FTP_INVALID_CMD
125:2

# SSL_INVALID_CLIENT_HELLO
137:1

# NOT FOUND IN RULES
138:2
138:3
138:4
138:5
138:6

# IMAP_UNKNOWN_CMD
141:1

panz

I encountered a similar problem with SID Mgmt: it is not disabling rules # 2000419 and # 2018959 (ET POLICY PE EXE or DLL Windows file download); I had to exclude them manually.

Veldkornet

@Asterix:

Here is the simpler list for disablesid.conf. Did a random check and found them disabled. No more suppression list for now.

Thanks for the list!

I was wondering though, do you have the same list with comments?
Just wondering what all has been disabled here…

swmspam

Asterix, thank you for posting your work on the lsit. Nice job!

Most Snort recommendations are to make it inward-looking (LAN) instead of outward-looking (WAN). The inward-looking (LAN) configuration allows you to detect misbehaving internal LAN clients. The outward-looking (WAN) configuration might show you some interesting information, but it's not really actionable.

Comments?

remzej

@uptownVagrant:

I'm running into a strange issue when using a disablesid.conf file, contents included below, the SIDs are not being disabled, I still see them triggering alerts, and when I check the rules in the snort interface I see "{$textse}"; " preceding SIDs that were specified in servers-disablesid.conf.  See attachment

I've tried removing all of the comments in the conf file and rebuilding without luck.  Has anyone else run into this?

# servers-disablesid.conf

# DELETED NETBIOS SMB D$ share access
1:536

# INDICATOR-SHELLCODE x86 NOOP
1:648

# DELETED SHELLCODE x86 0x90 unicode NOOP
1:653

# INDICATOR-SHELLCODE x86 inc ebx NOOP
1:1390

# POLICY-SOCIAL Yahoo IM ping
1:2452

# BROWSER-PLUGINS QuickTime Object ActiveX clsid access
1:8375

# FILE-EXECUTABLE download of executable content
1:11192

# FILE-OTHER PCRE character class heap buffer overflow attempt
1:12286

# BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt
1:15147

# FILE-EXECUTABLE Portable Executable binary file magic detected
1:15306

# INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack
1:15362

# FILE-EXECUTABLE download of executable content
1:16313

# BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
1:16482

# FILE-OTHER BitDefender Internet Security script code execution attempt
1:17458

# BROWSER-FIREFOX Mozilla multiple location headers malicious redirect attempt
1:20583

# FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt
1:23098

# FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
1:23256

# FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt
1:24889

# ET P2P BitTorrent peer sync
1:2000334

# ET POLICY PE EXE or DLL Windows file download
1:2000419

# ET POLICY Unusual number of DNS No Such Name Responses
1:2003195

# ET P2P possible torrent download
1:2007727

# ET TFTP Outbound TFTP Read Request
1:2008120

# ET SCAN Sipvicious Scan
1:2008578

# ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
1:2010516

# ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
1:2010525

# ET POLICY Suspicious inbound to MSSQL port 1433
1:2010935

# ET POLICY Suspicious inbound to mySQL port 3306
1:2010937

# ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
1:2011716

# ET POLICY Windows-Based OpenSSL Tunnel Outbound
1:2012078

# ET DELETED Possible Call with No Offset TCP Shellcode
1:2012086

# ET SHELLCODE Possible Call with No Offset UDP Shellcode
1:2012087

# ET SHELLCODE Possible Call with No Offset TCP Shellcode
1:2012088

# ET SHELLCODE Possible Call with No Offset UDP Shellcode
1:2012089

# ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active
1:2012141

# ET SHELLCODE Common 0a0a0a0a Heap Spray String
1:2012252

# ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
1:2012758

# ET POLICY curl User-Agent Outbound
1:2013028

# ET POLICY Python-urllib/ Suspicious User Agent
1:2013031

# ET DELETED Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
1:2013222

# ET POLICY Executable served from Amazon S3
1:2013414

# ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
1:2013504

# ET INFO JAVA - Java Archive Download
1:2014472

# ET INFO EXE - OSX Disk Image Download
1:2014518

# ET INFO EXE - Served Attached HTTP
1:2014520

# ET POLICY Outdated Windows Flash Version IE
1:2014726

# ET P2P BitTorrent - Torrent File Downloaded
1:2014734

# ET INFO Packed Executable Download
1:2014819

# ET INFO PDF Using CCITTFax Filter
1:2015561

# ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
1:2015744

# ET INFO Suspicious Windows NT version 7 User-Agent
1:2015820

# ET INFO JAVA - ClassID
1:2016360

# ET POLICY Unsupported/Fake FireFox Version 2.
1:2016877

# ET INFO SUSPCIOUS Non-standard base64 charset used for encoding
1:2017364

# ET POLICY PE EXE or DLL Windows file download HTTP
1:2018959

# ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
1:2019416

# ET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnel
1:2022913

# NOT FOUND IN RULES
1:2100366
1:2100368
1:2100651
1:2101390
1:2101424
1:2102314
1:2103134
1:2103192

# ET DROP Dshield Block Listed Source group 1
1:2402000

# ET CINS Active Threat Intelligence Poor Reputation IP TCP group 23
1:2403344

# NOT FOUND IN RULES
1:2406003
1:2406067
1:2406069
1:2406424

# ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 26
1:2500050

# ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 29
1:2500056

# NOT FOUND IN RULES
1:2520199
1:2520205
1:100000230

# FILE-IMAGE libpng malformed chunk denial of service attempt
3:14772

# PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
3:19187

# PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid
3:21355

# HI_CLIENT_DOUBLE_DECODE
119:2

# HI_CLIENT_BARE_BYTE
119:4

# HI_CLIENT_IIS_UNICODE
119:7

# HI_CLIENT_NON_RFC_CHAR
119:14

# HI_CLIENT_UNKNOWN_METHOD
119:31

# HI_CLIENT_SIMPLE_REQUEST
119:32

# HI_CLIENT_UNESCAPED_SPACE_IN_URI
119:33

# HI_SERVER_INVALID_STATCODE
120:2

# HI_SERVER_NO_CONTLEN
120:3

# HI_SERVER_UTF_NORM_FAIL
120:4

# HI_SERVER_DECOMPR_FAILED
120:6

# HI_CLISRV_MSG_SIZE_EXCEPTION
120:8

# HI_SERVER_JS_OBFUSCATION_EXCD
120:9

# HI_SERVER_JS_EXCESS_WS
120:10

# HI_SERVER_JS_EXCESS_WS
122:19

# PSNG_UDP_FILTERED_PORTSCAN
122:21

# PSNG_UDP_FILTERED_DECOY_PORTSCAN
122:22

#PSNG_UDP_PORTSWEEP_FILTERED
122:23

# PSNG_ICMP_PORTSWEEP_FILTERED
122:26

# FRAG3_IPV6_BAD_FRAG_PKT
123:10

# SMTP_RESPONSE_OVERFLOW
124:3

# FTPP_FTP_INVALID_CMD
125:2

# SSL_INVALID_CLIENT_HELLO
137:1

# NOT FOUND IN RULES
138:2
138:3
138:4
138:5
138:6

# IMAP_UNKNOWN_CMD
141:1

We had the same issue my friend. Some of the GID and SID defined in SID Mgmt doesn't work. I tested 1 rule 1:2008289 to enable and disable it using the SID Mgmt disable-sid.conf it doesn't change at all.

chaos215bar2

I appreciate the tips, but with a new pfSense and Snort installation, I think I'm still missing something fundamental here: Why are we adding rules like 119:2 — rules marked "not-suspicious" — to the suppression list at all?

Unless I'm completely misunderstanding something, this and similar rules are inserted by one of the preprocessors, and have already been annotated as rules that don't on their own imply suspicious traffic when triggered, so why is Snort adding firewall rules when they're triggered? Is there no option to simply have Snort not add firewall rules when traffic triggers a rule marked "not-suspicious"?

I ask, because after a couple weeks of running Snort with the default "connectivity" IPS rule set as well as some of the more targeted ET rulesets, the only problems I've had are with rules marked "not-suspicious" or "unknown". It seems like an unnecessary hassle to manually add these rules to a suppression list when they're already marked as something that doesn't directly imply problematic traffic.

code4u

Is there an update to this Snort's master suppress list? I'm still getting many false positives even after entering this suppression list. For example, it still blocks many normal websites, such as www.cnn.com. In fact, I added www.cnn.com's IP address in the Pass List but it still blocks the CNN website. Why is this?

highc

Which snort alerts is cnn.com triggering for you? I don't get any, just tried.

Also, you should be able to see which rules are the culprit from the snort alerts.