Snort Supress All Alerts on IP range
-
Hello All,
I'm was trying to suppress all alerts for a guest range of devices between 192.168.20.10 through 192.168.20.28. I have tried all the below configs and devices with those IP's still trigger. How can I add the appropriate configuration line so that snort passes traffic for those hosts?
#DHCP Guest Range
suppress gen_id 0, sig_id 0, track by_src, ip 192.168.20.10/28#DHCP Guest Range
suppress gen_id 0, sig_id 0, track by_src, ip 192.168.20.10-25#DHCP Guest Range
suppress gen_id 1, sig_id 0, track by_src, ip 192.168.20.10-25#DHCP Guest Range
suppress gen_id 1, sig_id 0, track by_src, ip 192.168.20.10/28 -
Which way is the alert triggering? With those IP addresses as the SOURCE or DESTINATION? All of your suppress rules are only working when the target IP is the SRC in the alert packet.
Also, when you make manual edits to a suppression list you must restart Snort on the interface in order for it to see the changes.
Bill
-
Hello Bill,
Thank you for responding. The alerts always trigger as the "source ip" under snort's Alerts tab. I managed to figure out that I could add the following line for include all ip's between 192.168.20.10 and 192.168.20.25, which snort accepts without crashing:Suppress Guest DHCPRange01
suppress gen_id 0, sig_id 0, track by_src, ip [192.168.7.10,192.168.10.11,192.168.10.12,192.168.10.13,192.168.10.14,192.168.10.15,192.168.10.16,192.168.10.17,192.168.10.18,192.168.10.19,192.168.10.120,192.168.10.21,192.168.10.22,192.168.10.23,192.168.10.24,192.168.10.25]
The above line is in the interface's suppress list. But even with the above line, snort alerts still trigger on those IP's adds them to the block list. All of the alerts look to be OPENAPPI Rules. The desired effect I'm looking for is to have snort just ignore the ip range altogether. Any ideas?
-
Either of these two methods would be correct for syntax –
#DHCP Guest Range suppress gen_id 0, sig_id 0, track by_src, ip 192.168.20.10/28
#DHCP Guest Range suppress gen_id 1, sig_id 0, track by_src, ip 192.168.20.10/28
The first will apply to all Generator IDs and SIDs, while the latter will apply only to generic rules and not to other preprocessors.
Exactly how are you assigning the Suppress List you created to the interface? I assume you know that after creating a manual Suppress List, you then have to go to the INTERFACE SETTINGS tab for the interface where you want to use it and assign it to that interface. You do that by selecting the named list in the drop-down box in the Suppression List section. Save the change and then restart Snort on that interface. Simply creating the list on the SUPPRESS tab is only 50% of the work.
Another possibility is you have multiple Snort instances running on the same interface. Run this CLI command to make sure only a single Snort instance is running on each configured interface:
ps -ax |grep snort
Bill