Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Supress All Alerts on IP range

    IDS/IPS
    2
    4
    4.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kryptos1
      last edited by

      Hello All,

      I'm was trying to suppress all alerts for a guest range of devices between 192.168.20.10 through 192.168.20.28. I have tried all the below configs and devices with those IP's still trigger. How can I add the appropriate configuration line so that snort passes traffic for those hosts?

      #DHCP Guest Range
      suppress gen_id 0, sig_id 0, track by_src, ip 192.168.20.10/28

      #DHCP Guest Range
      suppress gen_id 0, sig_id 0, track by_src, ip 192.168.20.10-25

      #DHCP Guest Range
      suppress gen_id 1, sig_id 0, track by_src, ip 192.168.20.10-25

      #DHCP Guest Range
      suppress gen_id 1, sig_id 0, track by_src, ip 192.168.20.10/28

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Which way is the alert triggering?  With those IP addresses as the SOURCE or DESTINATION?  All of your suppress rules are only working when the target IP is the SRC in the alert packet.

        Also, when you make manual edits to a suppression list you must restart Snort on the interface in order for it to see the changes.

        Bill

        1 Reply Last reply Reply Quote 0
        • K
          Kryptos1
          last edited by

          Hello Bill,
          Thank you for responding. The alerts always trigger as the "source ip" under snort's Alerts tab. I managed to figure out that I could add the following line for include all ip's between 192.168.20.10 and 192.168.20.25, which snort accepts without crashing:

          Suppress Guest DHCPRange01

          suppress gen_id 0, sig_id 0, track by_src, ip [192.168.7.10,192.168.10.11,192.168.10.12,192.168.10.13,192.168.10.14,192.168.10.15,192.168.10.16,192.168.10.17,192.168.10.18,192.168.10.19,192.168.10.120,192.168.10.21,192.168.10.22,192.168.10.23,192.168.10.24,192.168.10.25]

          The above line is in the interface's suppress list. But even with the above line, snort alerts still trigger on those IP's adds them to the block list. All of the alerts look to be OPENAPPI Rules. The desired effect I'm looking for is to have snort just ignore the ip range altogether. Any ideas?

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Either of these two methods would be correct for syntax –

            
#DHCP Guest Range
suppress gen_id 0, sig_id 0, track by_src, ip 192.168.20.10/28


            
#DHCP Guest Range
suppress gen_id 1, sig_id 0, track by_src, ip 192.168.20.10/28

            The first will apply to all Generator IDs and SIDs, while the latter will apply only to generic rules and not to other preprocessors.

            Exactly how are you assigning the Suppress List you created to the interface?  I assume you know that after creating a manual Suppress List, you then have to go to the INTERFACE SETTINGS tab for the interface where you want to use it and assign it to that interface.  You do that by selecting the named list in the drop-down box in the Suppression List section.  Save the change and then restart Snort on that interface.  Simply creating the list on the SUPPRESS tab is only 50% of the work.

            Another possibility is you have multiple Snort instances running on the same interface.  Run this CLI command to make sure only a single Snort instance is running on each configured interface:

            
ps -ax |grep snort

            Bill

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.