Suricata/Snort master SID disablesid.conf
-
I had this problem and tuning didn't solve anything; I had to disable the detection :(
https://forum.pfsense.org/index.php?topic=80068.msg436866#msg436866
-
I suggest if you're getting too many false positives and at a loss for how to configure around them, try this:
event_filter gen_id 0, sig_id 0, type both, track by_src, count 10, seconds 600This will filter events such that only offending IPs which create more than 10 events in 10 minutes will be blocked –- this seriously helps out when packets are fragmented oddly or a server just responds weirdly once in a while. You may change "count 10" and "seconds 600" to make it less restrictive or more restrictive.
-
I suggest if you're getting too many false positives and at a loss for how to configure around them, try this:
event_filter gen_id 0, sig_id 0, type both, track by_src, count 10, seconds 600This will filter events such that only offending IPs which create more than 10 events in 10 minutes will be blocked –- this seriously helps out when packets are fragmented oddly or a server just responds weirdly once in a while. You may change "count 10" and "seconds 600" to make it less restrictive or more restrictive.
How do I apply this method?
-
This is added to the interface suppression list. So for a particular suppression you change the gid and sid accordingly.
You will need to restart the interface to allow it to be enabled.
http://manual.snort.org/node19.html
http://books.msspace.net/mirrorbooks/snortids/0596006616/snortids-CHP-9-SECT-5.html
-
So, if I'm understanding right, I have to add this line to my Suppress List (both on LAN and WAN interfaces)
event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600gen_id 123, sig_id 8 corresponds to #(spp_frag3) Fragmentation overlap
panz
-
So, if I'm understanding right, I have to add this line to my Suppress List (both on LAN and WAN interfaces)
event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600gen_id 123, sig_id 8 corresponds to #(spp_frag3) Fragmentation overlap
panz
Yes, that's correct. Open the Suppress List in edit mode and paste in the line. Save the list and then restart the affected Snort interface. Make sure that the Suppress List you edit is the one currently used by the interface. You can check this on the INTERFACE SETTINGS tab for the interface.
Bill
-
Note that:
event_filter gen_id 0, sig_id 0, type both, track by_src, count 10, seconds 600Will specifically filter ALL events to 10 per 10 minutes, a quick-and-dirty way to stop massive false-positives while still providing some protection. What I've been doing recently is slowly lowering the count –- now at 3 --- while making different event_filter rules for specific flowbits. Example:
event_filter gen_id 0, sig_id 0, type both, track by_src, count 3, seconds 600 ## False Positives ## ; (spp_sdf) SDF Combination Alert event_filter gen_id 139, sig_id 1, type both, track by_src, count 6, seconds 600 ; (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE event_filter gen_id 120, sig_id 8, type both, track by_src, count 6, seconds 600 ; (http_inspect) UNKNOWN METHOD event_filter gen_id 119, sig_id 31, type both, track by_src, count 6, seconds 600From my experience I'm not sure I actually agree with the idea of a master suppress list, since I've found false positives will be based on what sites you tend to visit, the quality of your connection with these sites (many false positives are simply malformed packets), etc. However, this filtering should provide at least a little more protection than simply suppressing the alert always.
Also note these event filters are tracking by the source, it shouldn't really matter how many users you have (IE, you don't necessarily need to up "count" because you have more users).
Next on my to-do is figure out how to do event filtering for certain IPs and IP ranges; I think it can be done using rate_filter set to at least "alert". I'm hoping to essentially disable the suppression for my servers.
-
So, if I'm understanding right, I have to add this line to my Suppress List (both on LAN and WAN interfaces)
event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600gen_id 123, sig_id 8 corresponds to #(spp_frag3) Fragmentation overlap
panz
Yes, that's correct. Open the Suppress List in edit mode and paste in the line. Save the list and then restart the affected Snort interface. Make sure that the Suppress List you edit is the one currently used by the interface. You can check this on the INTERFACE SETTINGS tab for the interface.
Bill
Could I force this to work only for a certain IP address? Is it possible to add the IP address I want to filter after the comma past the "track by_src"?
-
Yes you can add an IP or CIDR and after that include additional other syntax as required.
9.5.3 Suppression Rules
Suppression rules are similar in syntax to standalone threshold rules. Suppression rules can suppress alerts by signature, by source or destination address, or by an entire CIDR network block. This flexibility has considerable power. Care must be taken to only suppress the correct alerts or addresses. An administrator could inadvertently suppress legitimate alerts.
Suppression rules are written with the following syntax:
suppress gen_id gen-id, sid_id sid-id, track [by_src|by_dst], ip IP/MASK-BITS
Suppress this event completely:
suppress gen_id 1, sig_id 114
Suppress this event from this source IP address:
suppress gen_id 1, sig_id 114, track by_src, ip 10.2.1.154
Suppress this event to this destination CIDR block:
suppress gen_id 1, sig_id 114, track by_dst, ip 10.2.1.0/24
-
Thanks, this is for Suppress action. Am I able to use the track by_src with the event_filter?
Panz
-
Yes you can add other settings after the IP address.
-
Yes you can add other settings after the IP address.
Sorry, I didn't explain my question well. Is this row ok? :
event_filter gen_id 123, sig_id 8, type both, track by_src, 106.188.165.67, count 10, seconds 600I'm asking because – in the examples regarding the event_filter – I can't find the "track by_src" followed by an IP address, like in the examples regarding the suppress command.
I hope that my question is clear now.
-
Sorry, I didn't explain my question well. Is this row ok? :
event_filter gen_id 123, sig_id 8, type both, track by_src, 106.188.165.67, count 10, seconds 600After looking at the Docs, it looks like only the "Suppression" rules can use an IP where event_filter is only by src/dst…
If you wanted to have a suppression and a event_filter, you could do the following in order:
suppress gen_id 123, sig_id 8, track by_src, ip 106.188.165.67
event_filter gen_id 123, sig_id 8, type both, track by_src, count 10, seconds 600This would suppress this sid/IP combination, and event_filter would limit any other IPs. Or you can just use the event_filter by itself.
-
My intention was only to event_filter one address, my favorite AirVPN server.
-
The list is a good idea, BUT, we have no idea what is being suppressed. At least I have no idea….. Using this list literally stops everything from showing up and getting banned, is this a good idea?. For all I know, you could have suppressed a bunch of things that should not be.
Listing what you suppressed would have been a better approach, I am going to avoid using this and attempt to build something that I have a clue about.
Not knocking your work, but as mentioned, I have no idea what you're suppressing.
-
The list is a good idea, BUT, we have no idea what is being suppressed. At least I have no idea….. Using this list literally stops everything from showing up and getting banned, is this a good idea?. For all I know, you could have suppressed a bunch of things that should not be.
Listing what you suppressed would have been a better approach, I am going to avoid using this and attempt to build something that I have a clue about.
Not knocking your work, but as mentioned, I have no idea what you're suppressing.
Thank you for pointing this out. I am a PFSense / snort newbie and just discovered this list. It improved the performance of snort, but I, too, am concerned about what it is actually doing since I am so new at this. A reply from somebody with experience would be beneficial.
This week I plan to remove the list, at lease temporarily, and try to make my own suppression list. It will give me a frame of reference that may enable me to figure out the donated one better.
-
deanot,
I removed the copied suppression list ans started building my own today. I'm using suppression only at this time because I'm still too new with snort and PFSense to try the rule fixes. That will come down the road in a couple of weeks.
FYI: It appears to take detective work to figure out what can be suppressed. Just tedious detective work.
For example, a 'corporate violation' appeared to be my home network doing something internally using IPv6. Seemed pretty safe to suppress. Also on the copied list.
An IPv4 destination address pointed at Microsoft. Google said it was in use by a company that supplies an anti-malware product I use. I assumed it was talking back to the publisher. Coded as safe.
I noted one before that ooma was involved with and also noted on the ooma 'ports to forward' list they publish. Allowed.
This must reflect the suggestion to run 'detect only' for a couple of months first. Good luck.
-
Hi, people.
Im create a github repo with the list https://github.com/cristianmenghi/pfsense-snort/
I have a problem that snort block my access to the webConfigurator, any advice ?
thanks.
-
Hi, people.
Im create a github repo with the list https://github.com/cristianmenghi/pfsense-snort/
I have a problem that snort block my access to the webConfigurator, any advice ?
thanks.
I have exactly same problem using this list. Have you found lines / reason which are causing it? Otherwise list is great…
Can anybody advice?
-
Realized I had not posed my most recent suppression list. Found quiet a bit of new ones to add on the list after the recent upgrade to 2.3. I still see a few more false positives but they are not yet blocking anything critical.
–------------------------------------------
suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 648
suppress gen_id 1, sig_id 653
suppress gen_id 1, sig_id 1390
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 8375
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 12286
suppress gen_id 1, sig_id 15147
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 15362
suppress gen_id 1, sig_id 16313
suppress gen_id 1, sig_id 16482
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 23098
suppress gen_id 1, sig_id 23256
suppress gen_id 1, sig_id 24889
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2000419
suppress gen_id 1, sig_id 2003195
suppress gen_id 1, sig_id 2007727
suppress gen_id 1, sig_id 2008120
suppress gen_id 1, sig_id 2008578
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 2010525
suppress gen_id 1, sig_id 2010935
suppress gen_id 1, sig_id 2010937
suppress gen_id 1, sig_id 2011716
suppress gen_id 1, sig_id 2012078
suppress gen_id 1, sig_id 2012086
suppress gen_id 1, sig_id 2012087
suppress gen_id 1, sig_id 2012088
suppress gen_id 1, sig_id 2012089
suppress gen_id 1, sig_id 2012141
suppress gen_id 1, sig_id 2012252
suppress gen_id 1, sig_id 2012758
suppress gen_id 1, sig_id 2013028
suppress gen_id 1, sig_id 2013031
suppress gen_id 1, sig_id 2013222
suppress gen_id 1, sig_id 2013414
suppress gen_id 1, sig_id 2013504
suppress gen_id 1, sig_id 2014472
suppress gen_id 1, sig_id 2014518
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2014726
suppress gen_id 1, sig_id 2014734
suppress gen_id 1, sig_id 2014819
suppress gen_id 1, sig_id 2015561
suppress gen_id 1, sig_id 2015744
suppress gen_id 1, sig_id 2016360
suppress gen_id 1, sig_id 2016877
suppress gen_id 1, sig_id 2017364
suppress gen_id 1, sig_id 2018959
suppress gen_id 1, sig_id 2019416
suppress gen_id 1, sig_id 2100366
suppress gen_id 1, sig_id 2100368
suppress gen_id 1, sig_id 2100651
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2101424
suppress gen_id 1, sig_id 2102314
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2103192
suppress gen_id 1, sig_id 2402000
suppress gen_id 1, sig_id 2403344
suppress gen_id 1, sig_id 2406003
suppress gen_id 1, sig_id 2406067
suppress gen_id 1, sig_id 2406069
suppress gen_id 1, sig_id 2406424
suppress gen_id 1, sig_id 2500050
suppress gen_id 1, sig_id 2500056
suppress gen_id 1, sig_id 2520199
suppress gen_id 1, sig_id 2520205
suppress gen_id 1, sig_id 100000230
suppress gen_id 3, sig_id 14772
suppress gen_id 3, sig_id 19187
suppress gen_id 3, sig_id 21355
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 7
suppress gen_id 119, sig_id 14
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 119, sig_id 33
suppress gen_id 120, sig_id 2
suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 4
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 120, sig_id 9
suppress gen_id 120, sig_id 10
suppress gen_id 122, sig_id 19
suppress gen_id 122, sig_id 21
suppress gen_id 122, sig_id 22
suppress gen_id 122, sig_id 23
suppress gen_id 122, sig_id 26
suppress gen_id 123, sig_id 10
suppress gen_id 124, sig_id 3
suppress gen_id 125, sig_id 2
suppress gen_id 137, sig_id 1
suppress gen_id 138, sig_id 2
suppress gen_id 138, sig_id 3
suppress gen_id 138, sig_id 4
suppress gen_id 138, sig_id 5
suppress gen_id 138, sig_id 6
suppress gen_id 140, sig_id 27
suppress gen_id 141, sig_id 1
