[resolved] snort openappid alert limit

Actionhenk

Hello, is it possible to reduce the number of alerts for an app to once per minute ? For example, I browse to www.netflix.com and the log fills up with 30+ alerts saying "netflix". Is there a way to limit it to 1 alert per minute ?

Thanks

bmeeks

You can use Suppress rules to take care of this. You need to have the GID:SID of the OpenAppID rule you want to rate limit. You can't just click through this in the GUI, though. You will have to manually edit the Suppress List for the interface on the SUPPRESS tab. You can find examples for rate limiting on the web via a Google search.

Actionhenk

Found a solution in this suppress rule:

event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 10

seems to be applied to all gid/sid.

bmeeks

@Actionhenk said in [resolved] snort openappid alert limit:

Found a solution in this suppress rule:

event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 10

seems to be applied to all gid/sid.

If you want it to apply to just a single rule, then change the sid_id field to match the value of the SID for the offending rule. SID is short for "Signature ID", and is a unique value assigned to each rule. Rules are identified by their "Generator ID" (GID) and "Signature ID" (SID). The GID is usually 1 unless the rule is associated with a handful of special Snort preprocessors. In that case, the GID will be a 3-digit number.

ng_anon

@bmeeks
Try as I might, I can't get event_filter to work for me.
How to debug? Where in the filesystem do these suppression lists live? Where in the logs would I see if the suppression list has been activated, and without error?

bmeeks

@ng_anon said in [resolved] snort openappid alert limit:

@bmeeks
Try as I might, I can't get event_filter to work for me.
How to debug? Where in the filesystem do these suppression lists live? Where in the logs would I see if the suppression list has been activated, and without error?

Suppression list data lives in the config.xml file on the firewall where all pfSense configuration data resides. When you save changes to a Snort interface, or restart an interface instance, the PHP code in the GUI reads the configuration data and writes it out to the appropriate text-based configuration files that the Snort binary expects. Each Snort interface instance you configure will have its own unique sub-directory underneath this path:

/usr/local/etc/snort/

The top directory (the /usr/local/etc/snort directory) contains just sample data. No configuration files from that directory are ever used. If you look at the sub-directories underneath, you will find the configuration for each interface. The directories are named with a random UUID and the physical NIC name. Within each sub-directory you will find a snort.conf file containing the configuration and then the suppression list file will have the same name as the Suppress List currently assigned to the interface.

I will repeat this just to be sure you know. When using Suppression Lists, unless you automatically created one by clicking one of the suppress icons on the ALERTS tab, then you must go to the INTERFACE SETTINGS tab for the interface, choose the appropriate Suppress List in the drop-down selector, save the change, and then restart Snort on that interface in order for the suppress list to be applied.

ng_anon

@bmeeks Got it working. Thanks again.