Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [resolved] snort openappid alert limit

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 3 Posters 841 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Actionhenk
      last edited by Actionhenk

      Hello, is it possible to reduce the number of alerts for an app to once per minute ? For example, I browse to www.netflix.com and the log fills up with 30+ alerts saying "netflix". Is there a way to limit it to 1 alert per minute ?

      Thanks

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        You can use Suppress rules to take care of this. You need to have the GID:SID of the OpenAppID rule you want to rate limit. You can't just click through this in the GUI, though. You will have to manually edit the Suppress List for the interface on the SUPPRESS tab. You can find examples for rate limiting on the web via a Google search.

        1 Reply Last reply Reply Quote 0
        • A
          Actionhenk
          last edited by

          Found a solution in this suppress rule:

          event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 10

          seems to be applied to all gid/sid.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @Actionhenk
            last edited by bmeeks

            @Actionhenk said in [resolved] snort openappid alert limit:

            Found a solution in this suppress rule:

            event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 10

            seems to be applied to all gid/sid.

            If you want it to apply to just a single rule, then change the sid_id field to match the value of the SID for the offending rule. SID is short for "Signature ID", and is a unique value assigned to each rule. Rules are identified by their "Generator ID" (GID) and "Signature ID" (SID). The GID is usually 1 unless the rule is associated with a handful of special Snort preprocessors. In that case, the GID will be a 3-digit number.

            N 1 Reply Last reply Reply Quote 0
            • N
              ng_anon @bmeeks
              last edited by

              @bmeeks
              Try as I might, I can't get event_filter to work for me.
              How to debug? Where in the filesystem do these suppression lists live? Where in the logs would I see if the suppression list has been activated, and without error?

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @ng_anon
                last edited by bmeeks

                @ng_anon said in [resolved] snort openappid alert limit:

                @bmeeks
                Try as I might, I can't get event_filter to work for me.
                How to debug? Where in the filesystem do these suppression lists live? Where in the logs would I see if the suppression list has been activated, and without error?

                Suppression list data lives in the config.xml file on the firewall where all pfSense configuration data resides. When you save changes to a Snort interface, or restart an interface instance, the PHP code in the GUI reads the configuration data and writes it out to the appropriate text-based configuration files that the Snort binary expects. Each Snort interface instance you configure will have its own unique sub-directory underneath this path:

                /usr/local/etc/snort/
                

                The top directory (the /usr/local/etc/snort directory) contains just sample data. No configuration files from that directory are ever used. If you look at the sub-directories underneath, you will find the configuration for each interface. The directories are named with a random UUID and the physical NIC name. Within each sub-directory you will find a snort.conf file containing the configuration and then the suppression list file will have the same name as the Suppress List currently assigned to the interface.

                I will repeat this just to be sure you know. When using Suppression Lists, unless you automatically created one by clicking one of the suppress icons on the ALERTS tab, then you must go to the INTERFACE SETTINGS tab for the interface, choose the appropriate Suppress List in the drop-down selector, save the change, and then restart Snort on that interface in order for the suppress list to be applied.

                N 1 Reply Last reply Reply Quote 0
                • N
                  ng_anon @bmeeks
                  last edited by

                  @bmeeks Got it working. Thanks again.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.