Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Thresholds tab in snort - suppress not stopping alerts

    pfSense Packages
    4
    6
    4629
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chowtamah last edited by

      Hai, I am having following configuration,
      PFsense Ver: 1.2.3-RELEASE
      Snort:  Snort 2.8.5.3 pkg v. 1.24

      In Suppress Tab, I added following entries

      suppress gen_id 119, sig_id 2
      suppress gen_id 119, sig_id 4
      suppress gen_id 119, sig_id 13
      suppress gen_id 119, sig_id 14

      and restarted the snort, but still alert is generated and related ip (computer) gets blocked.

      Earlier V.1.22, i added these to threshold.conf of each interface and it worked.
      Should I do the same in this snort package version also?

      2.0.2-RELEASE (amd64)  &  2.2.2-RELEASE (amd64)

      Always trying to learn!!

      1 Reply Last reply Reply Quote 0
      • J
        jamesdean last edited by

        @chowtamah:

        Hai, I am having following configuration,
        PFsense Ver: 1.2.3-RELEASE
        Snort:  Snort 2.8.5.3 pkg v. 1.24

        In Suppress Tab, I added following entries

        suppress gen_id 119, sig_id 2
        suppress gen_id 119, sig_id 4
        suppress gen_id 119, sig_id 13
        suppress gen_id 119, sig_id 14

        and restarted the snort, but still alert is generated and related ip (computer) gets blocked.

        Earlier V.1.22, i added these to threshold.conf of each interface and it worked.
        Should I do the same in this snort package version also?

        Make sure you select the suppress list at the interface edit tab.

        James

        1 Reply Last reply Reply Quote 0
        • C
          chowtamah last edited by

          Thanks James,

          I am sorry to disturbing you. It is my fault to raise the question without studying the interface.

          I selected the suppression file in interface tab (IF settings) and now it works fine.

          Thank you once again.

          2.0.2-RELEASE (amd64)  &  2.2.2-RELEASE (amd64)

          Always trying to learn!!

          1 Reply Last reply Reply Quote 0
          • D
            Davc last edited by

            James,

            It seems these 2 suppress rules cannot supress. I am still getting alert and block on these:

            suppress gen_id 119, sig_id 4
            suppress gen_id 119, sig_id 14

            Davc

            1 Reply Last reply Reply Quote 0
            • J
              jamesdean last edited by

              @Davc:

              James,

              It seems these 2 suppress rules cannot suppress. I am still getting alert and block on these:

              suppress gen_id 119, sig_id 4
              suppress gen_id 119, sig_id 14

              Davc

              suppress gen_id 119, sig_id 4    http_inspect: BARE BYTE UNICODE ENCODING

              I think thats a flash false positive.

              Make sure you restart snort after you have these settings entered.

              James

              1 Reply Last reply Reply Quote 0
              • G
                g4m3c4ck last edited by

                Wow I feel like an idiot that I did not see that before. I guess I believed the drop down menus only had Default like my Home Net and external net has and ignored the rest while completely ignoring the fine text which is quite small on my laptop…. duuurr

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy