3. Thresholds tab in snort - suppress not stopping alerts

Thresholds tab in snort - suppress not stopping alerts

  • C

    Hai, I am having following configuration,
    PFsense Ver: 1.2.3-RELEASE
    Snort:  Snort 2.8.5.3 pkg v. 1.24

    In Suppress Tab, I added following entries

    suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 4
    suppress gen_id 119, sig_id 13
    suppress gen_id 119, sig_id 14

    and restarted the snort, but still alert is generated and related ip (computer) gets blocked.

    Earlier V.1.22, i added these to threshold.conf of each interface and it worked.
    Should I do the same in this snort package version also?

    0
  • J

    @chowtamah:

    Hai, I am having following configuration,
    PFsense Ver: 1.2.3-RELEASE
    Snort:  Snort 2.8.5.3 pkg v. 1.24

    In Suppress Tab, I added following entries

    suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 4
    suppress gen_id 119, sig_id 13
    suppress gen_id 119, sig_id 14

    and restarted the snort, but still alert is generated and related ip (computer) gets blocked.

    Earlier V.1.22, i added these to threshold.conf of each interface and it worked.
    Should I do the same in this snort package version also?

    Make sure you select the suppress list at the interface edit tab.

    James

    0
  • C

    Thanks James,

    I am sorry to disturbing you. It is my fault to raise the question without studying the interface.

    I selected the suppression file in interface tab (IF settings) and now it works fine.

    Thank you once again.

    0
  • D

    James,

    It seems these 2 suppress rules cannot supress. I am still getting alert and block on these:

    suppress gen_id 119, sig_id 4
    suppress gen_id 119, sig_id 14

    Davc

    0
  • J

    @Davc:

    James,

    It seems these 2 suppress rules cannot suppress. I am still getting alert and block on these:

    suppress gen_id 119, sig_id 4
    suppress gen_id 119, sig_id 14

    Davc

    suppress gen_id 119, sig_id 4    http_inspect: BARE BYTE UNICODE ENCODING

    I think thats a flash false positive.

    Make sure you restart snort after you have these settings entered.

    James

    0
  • G

    Wow I feel like an idiot that I did not see that before. I guess I believed the drop down menus only had Default like my Home Net and external net has and ignored the rest while completely ignoring the fine text which is quite small on my laptop…. duuurr

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy