Snort False positive shutterstock.com 192.33.31.57



  • Hi All,
    I am have an issue where an ip address 192.33.31.57 keeps getting blocked and can figure out how to prevent it. No alert is generated. It is used by shutterstock as a cdn.

    I am using that suppress gen_id from this forum below and it works great. I also keep my whitelisted ip addresses in alias's and and have configured in snort to whitelist these addresses.

    Any help would greatly be appreciated.

    suppress gen_id 1, sig_id 536
    suppress gen_id 1, sig_id 648
    suppress gen_id 1, sig_id 653
    suppress gen_id 1, sig_id 1390
    suppress gen_id 1, sig_id 2452
    suppress gen_id 1, sig_id 8375
    suppress gen_id 1, sig_id 11192
    suppress gen_id 1, sig_id 12286
    suppress gen_id 1, sig_id 15147
    suppress gen_id 1, sig_id 15306
    suppress gen_id 1, sig_id 15362
    suppress gen_id 1, sig_id 16313
    suppress gen_id 1, sig_id 16482
    suppress gen_id 1, sig_id 17458
    suppress gen_id 1, sig_id 20583
    suppress gen_id 1, sig_id 23098
    suppress gen_id 1, sig_id 23256
    suppress gen_id 1, sig_id 24889
    suppress gen_id 1, sig_id 2000334
    suppress gen_id 1, sig_id 2000419
    suppress gen_id 1, sig_id 2003195
    suppress gen_id 1, sig_id 2008120
    suppress gen_id 1, sig_id 2008578
    suppress gen_id 1, sig_id 2010516
    suppress gen_id 1, sig_id 2010935
    suppress gen_id 1, sig_id 2010937
    suppress gen_id 1, sig_id 2011716
    suppress gen_id 1, sig_id 2012086
    suppress gen_id 1, sig_id 2012087
    suppress gen_id 1, sig_id 2012088
    suppress gen_id 1, sig_id 2012089
    suppress gen_id 1, sig_id 2012141
    suppress gen_id 1, sig_id 2012252
    suppress gen_id 1, sig_id 2012758
    suppress gen_id 1, sig_id 2013222
    suppress gen_id 1, sig_id 2013414
    suppress gen_id 1, sig_id 2014518
    suppress gen_id 1, sig_id 2014520
    suppress gen_id 1, sig_id 2014726
    suppress gen_id 1, sig_id 2014819
    suppress gen_id 1, sig_id 2015561
    suppress gen_id 1, sig_id 2100366
    suppress gen_id 1, sig_id 2100368
    suppress gen_id 1, sig_id 2100651
    suppress gen_id 1, sig_id 2101390
    suppress gen_id 1, sig_id 2101424
    suppress gen_id 1, sig_id 2102314
    suppress gen_id 1, sig_id 2103134
    suppress gen_id 1, sig_id 2103192
    suppress gen_id 1, sig_id 2013504
    suppress gen_id 1, sig_id 2406003
    suppress gen_id 1, sig_id 2406067
    suppress gen_id 1, sig_id 2406069
    suppress gen_id 1, sig_id 2406424
    suppress gen_id 1, sig_id 2500056
    suppress gen_id 1, sig_id 100000230
    suppress gen_id 3, sig_id 14772
    #(http_inspect) DOUBLE DECODING ATTACK
    suppress gen_id 119, sig_id 2
    #(http_inspect) BARE BYTE UNICODE ENCODING
    suppress gen_id 119, sig_id 4
    #(http_inspect) IIS UNICODE CODEPOINT ENCODING
    suppress gen_id 119, sig_id 7
    #(http_inspect) NON-RFC DEFINED CHAR [**]
    suppress gen_id 119, sig_id 14
    #(http_inspect) UNKNOWN METHOD
    suppress gen_id 119, sig_id 31
    #(http_inspect) SIMPLE REQUEST
    suppress gen_id 119, sig_id 32
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 2
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 3
    #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
    suppress gen_id 120, sig_id 4
    #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
    suppress gen_id 120, sig_id 6
    #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
    suppress gen_id 120, sig_id 8
    #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
    suppress gen_id 120, sig_id 9

    Unknown

    suppress gen_id 120, sig_id 10
    suppress gen_id 122, sig_id 19
    suppress gen_id 122, sig_id 21
    suppress gen_id 122, sig_id 22
    suppress gen_id 122, sig_id 23
    suppress gen_id 122, sig_id 26
    #(spp_frag3) Bogus fragmentation packet. Possible BSD attack
    suppress gen_id 123, sig_id 10
    #(smtp) Attempted response buffer overflow: 1448 chars
    suppress gen_id 124, sig_id 3
    #(ftp_telnet) Invalid FTP Command
    suppress gen_id 125, sig_id 2
    #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
    suppress gen_id 137, sig_id 1

    Credit Card Numbers

    suppress gen_id 138, sig_id 2

    U.S. Social Security Numbers (with dashes)

    suppress gen_id 138, sig_id 3

    U.S. Social Security Numbers (w/out dashes)

    suppress gen_id 138, sig_id 4

    Email Addresses

    suppress gen_id 138, sig_id 5

    U.S. Phone Numbers

    suppress gen_id 138, sig_id 6
    #(spp_sip) Maximum dialogs within a session reached
    suppress gen_id 140, sig_id 27
    #(IMAP) Unknown IMAP4 command
    suppress gen_id 141, sig_id 1

    Thank you,
    Warren



  • There will be a description on the ALERTS tab for the alert generated by the IP address.  Post that alert description here.  If you are sure the alert is a false positive, you can either suppress that entire SID, or just suppress the SID when the IP matches the one in question.

    Post the actual alert description that is printed along with the blocked IP either on the ALERTS tab or the BLOCKS tab.

    Bill


Log in to reply