Snort - Suppression Tutorial - (How to get rid of annoying alerts)
-
Hello Guys,
I thought of creating a small tutorial for people who have problem with false positive alerts or websites they wanna visit and don't get alerts from, using suppression option/list.
here's a link document with snapshots to the tutorial.
http://sdrv.ms/QMrOFzPlease if it has any technical/grammatical mistakes do let me know ;D
let me know if it was useful to you so I continue to write.
Thanks
Mohammed JH -
Overall great start! :-) I would point out that they have to click the + sign next to the rule in the sid box to add it to a surpress list (this will put the discription and surpressed id automatically.).. Also, it may be note worthy to show in the settings of the interface how to enable the supress list and the pull down to select the supress list. I am not sure since I have had mine set up from back in the manual days of doing things, that on the new version of snort if there is no surpress list set up, that if you click the +, will snort automatically create a custom surpress list, add the sid ect to it, and finally telll the interface to use the newly created list.
When i set mine up, it was all manual and i had to create that and change the settings myself, so even if it is automated it may be good to add those screenshots to the walkthrough so people know how to maunally check to see if the interface is actively using it. Or maybe in the event they no longer want the interface to use that surpress list.
Other than that, thanks for putting that together. I am sure it will help some new users to snort.
-
Yeah I noticed later that there's an option for suppression in the new package :-[ but in general it add up to our knowledge as you said esp for newbies. ;D