Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Thresholds tab in snort - suppress not stopping alerts

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 4 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chowtamah
      last edited by

      Hai, I am having following configuration,
      PFsense Ver: 1.2.3-RELEASE
      Snort:  Snort 2.8.5.3 pkg v. 1.24

      In Suppress Tab, I added following entries

      suppress gen_id 119, sig_id 2
      suppress gen_id 119, sig_id 4
      suppress gen_id 119, sig_id 13
      suppress gen_id 119, sig_id 14

      and restarted the snort, but still alert is generated and related ip (computer) gets blocked.

      Earlier V.1.22, i added these to threshold.conf of each interface and it worked.
      Should I do the same in this snort package version also?

      2.0.2-RELEASE (amd64)  &  2.2.2-RELEASE (amd64)

      Always trying to learn!!

      1 Reply Last reply Reply Quote 0
      • J
        jamesdean
        last edited by

        @chowtamah:

        Hai, I am having following configuration,
        PFsense Ver: 1.2.3-RELEASE
        Snort:  Snort 2.8.5.3 pkg v. 1.24

        In Suppress Tab, I added following entries

        suppress gen_id 119, sig_id 2
        suppress gen_id 119, sig_id 4
        suppress gen_id 119, sig_id 13
        suppress gen_id 119, sig_id 14

        and restarted the snort, but still alert is generated and related ip (computer) gets blocked.

        Earlier V.1.22, i added these to threshold.conf of each interface and it worked.
        Should I do the same in this snort package version also?

        Make sure you select the suppress list at the interface edit tab.

        James

        1 Reply Last reply Reply Quote 0
        • C
          chowtamah
          last edited by

          Thanks James,

          I am sorry to disturbing you. It is my fault to raise the question without studying the interface.

          I selected the suppression file in interface tab (IF settings) and now it works fine.

          Thank you once again.

          2.0.2-RELEASE (amd64)  &  2.2.2-RELEASE (amd64)

          Always trying to learn!!

          1 Reply Last reply Reply Quote 0
          • D
            Davc
            last edited by

            James,

            It seems these 2 suppress rules cannot supress. I am still getting alert and block on these:

            suppress gen_id 119, sig_id 4
            suppress gen_id 119, sig_id 14

            Davc

            1 Reply Last reply Reply Quote 0
            • J
              jamesdean
              last edited by

              @Davc:

              James,

              It seems these 2 suppress rules cannot suppress. I am still getting alert and block on these:

              suppress gen_id 119, sig_id 4
              suppress gen_id 119, sig_id 14

              Davc

              suppress gen_id 119, sig_id 4    http_inspect: BARE BYTE UNICODE ENCODING

              I think thats a flash false positive.

              Make sure you restart snort after you have these settings entered.

              James

              1 Reply Last reply Reply Quote 0
              • G
                g4m3c4ck
                last edited by

                Wow I feel like an idiot that I did not see that before. I guess I believed the drop down menus only had Default like my Home Net and external net has and ignored the rest while completely ignoring the fine text which is quite small on my laptop…. duuurr

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.