3. Thresholds tab in snort - suppress not stopping alerts

Thresholds tab in snort - suppress not stopping alerts

  • C

    Hai, I am having following configuration,
    PFsense Ver: 1.2.3-RELEASE
    Snort:  Snort 2.8.5.3 pkg v. 1.24

    In Suppress Tab, I added following entries

    suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 4
    suppress gen_id 119, sig_id 13
    suppress gen_id 119, sig_id 14

    and restarted the snort, but still alert is generated and related ip (computer) gets blocked.

    Earlier V.1.22, i added these to threshold.conf of each interface and it worked.
    Should I do the same in this snort package version also?

    0
  • J

    @chowtamah:

    Hai, I am having following configuration,
    PFsense Ver: 1.2.3-RELEASE
    Snort:  Snort 2.8.5.3 pkg v. 1.24

    In Suppress Tab, I added following entries

    suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 4
    suppress gen_id 119, sig_id 13
    suppress gen_id 119, sig_id 14

    and restarted the snort, but still alert is generated and related ip (computer) gets blocked.

    Earlier V.1.22, i added these to threshold.conf of each interface and it worked.
    Should I do the same in this snort package version also?

    Make sure you select the suppress list at the interface edit tab.

    James

    0
  • C

    Thanks James,

    I am sorry to disturbing you. It is my fault to raise the question without studying the interface.

    I selected the suppression file in interface tab (IF settings) and now it works fine.

    Thank you once again.

    0
  • D

    James,

    It seems these 2 suppress rules cannot supress. I am still getting alert and block on these:

    suppress gen_id 119, sig_id 4
    suppress gen_id 119, sig_id 14

    Davc

    0
  • J

    @Davc:

    James,

    It seems these 2 suppress rules cannot suppress. I am still getting alert and block on these:

    suppress gen_id 119, sig_id 4
    suppress gen_id 119, sig_id 14

    Davc

    suppress gen_id 119, sig_id 4    http_inspect: BARE BYTE UNICODE ENCODING

    I think thats a flash false positive.

    Make sure you restart snort after you have these settings entered.

    James

    0
  • G

    Wow I feel like an idiot that I did not see that before. I guess I believed the drop down menus only had Default like my Home Net and external net has and ignored the rest while completely ignoring the fine text which is quite small on my laptop…. duuurr

    0
Locked
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy