How do you write suppress rules for snort



  • Hi
    I am trying to understand how i will write the suppress rules
    example :

    1   3   ICMP   ICMP PING   Misc activity   33.33.33.33   empty   ->   192.168.88.1   empty   1:384:5   07/27-17:49:14
    2 3 ICMP ICMP PING *NIX Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:366:7 07/27-17:49:14
    3 3 ICMP ICMP PING BSDtype Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:368:6 07/27-17:49:14
    4 3 ICMP ICMP PING Misc activity 33.33.33.33   empty -> 192.168.88.1 empty 1:384:5 07/27-17:49:13
    5 3 ICMP ICMP PING *NIX Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:366:7 07/27-17:49:13
    6 3 ICMP ICMP PING BSDtype Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:368:6 07/27-17:49:13
    7 3 ICMP ICMP PING Misc activity 33.33.33.33 empty -> 192.168.88.1 empty 1:384:5 07/27-17:49:12

    I have added 33.33.33.33 in Whitelist , so that it does not block the IP 33.33.33.33

    but i dont want to see this logs in Alerts file
    so how will i write the suppress rules

    I tried to write like this

    suppress gen_id 1, sig_id 1852, track by_src, ip 33.33.33.33

    then add this supress rules in Interface tab
    but did not work

    so can you please tel me how to write the rules so that i dont see any log related to 33.33.33.33
    thanks



  • I think the sig_id doesn't match the log you've posted. It's the second number on the string, ie 1:384:5
    So, you need to write:

    suppress gen_id 1, sig_id 384, track by_src, ip 33.33.33.33
    suppress gen_id 1, sig_id 366, track by_src, ip 33.33.33.33
    suppress gen_id 1, sig_id 368, track by_src, ip 33.33.33.33

    Also, you need to set up If Settings > Suppression and filtering option.
    Check the Snort FAQ: http://forum.pfsense.org/index.php/topic,16847.0.html



  • HI thanks
    I will try this tomorrow morning then i will come back to you. I believed you showed me the right way. but still if i have any problem i will come back to you tomorrow.
    thanks for your time and advise



  • It would have been nice if something in the original post indicated it was related to snort :(



  • @danswartz
    Thanks
    I added Snort word with the question.



  • @johnnybe
    Thanks, yes that rules works
    Now i can suppress necessary logs



  • @fosiul:

    @johnnybe
    Thanks, yes that rules works
    Now i can suppress necessary logs

    Well, you know… you should say thanks to jamesdean. He made the Snort package FAQ.
    Thats where I've learnt.
    You're welcome, whatsoever.


Log in to reply