Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort False positive shutterstock.com 192.33.31.57

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    2
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      warren.cohn
      last edited by

      Hi All,
      I am have an issue where an ip address 192.33.31.57 keeps getting blocked and can figure out how to prevent it. No alert is generated. It is used by shutterstock as a cdn.

      I am using that suppress gen_id from this forum below and it works great. I also keep my whitelisted ip addresses in alias's and and have configured in snort to whitelist these addresses.

      Any help would greatly be appreciated.

      suppress gen_id 1, sig_id 536
      suppress gen_id 1, sig_id 648
      suppress gen_id 1, sig_id 653
      suppress gen_id 1, sig_id 1390
      suppress gen_id 1, sig_id 2452
      suppress gen_id 1, sig_id 8375
      suppress gen_id 1, sig_id 11192
      suppress gen_id 1, sig_id 12286
      suppress gen_id 1, sig_id 15147
      suppress gen_id 1, sig_id 15306
      suppress gen_id 1, sig_id 15362
      suppress gen_id 1, sig_id 16313
      suppress gen_id 1, sig_id 16482
      suppress gen_id 1, sig_id 17458
      suppress gen_id 1, sig_id 20583
      suppress gen_id 1, sig_id 23098
      suppress gen_id 1, sig_id 23256
      suppress gen_id 1, sig_id 24889
      suppress gen_id 1, sig_id 2000334
      suppress gen_id 1, sig_id 2000419
      suppress gen_id 1, sig_id 2003195
      suppress gen_id 1, sig_id 2008120
      suppress gen_id 1, sig_id 2008578
      suppress gen_id 1, sig_id 2010516
      suppress gen_id 1, sig_id 2010935
      suppress gen_id 1, sig_id 2010937
      suppress gen_id 1, sig_id 2011716
      suppress gen_id 1, sig_id 2012086
      suppress gen_id 1, sig_id 2012087
      suppress gen_id 1, sig_id 2012088
      suppress gen_id 1, sig_id 2012089
      suppress gen_id 1, sig_id 2012141
      suppress gen_id 1, sig_id 2012252
      suppress gen_id 1, sig_id 2012758
      suppress gen_id 1, sig_id 2013222
      suppress gen_id 1, sig_id 2013414
      suppress gen_id 1, sig_id 2014518
      suppress gen_id 1, sig_id 2014520
      suppress gen_id 1, sig_id 2014726
      suppress gen_id 1, sig_id 2014819
      suppress gen_id 1, sig_id 2015561
      suppress gen_id 1, sig_id 2100366
      suppress gen_id 1, sig_id 2100368
      suppress gen_id 1, sig_id 2100651
      suppress gen_id 1, sig_id 2101390
      suppress gen_id 1, sig_id 2101424
      suppress gen_id 1, sig_id 2102314
      suppress gen_id 1, sig_id 2103134
      suppress gen_id 1, sig_id 2103192
      suppress gen_id 1, sig_id 2013504
      suppress gen_id 1, sig_id 2406003
      suppress gen_id 1, sig_id 2406067
      suppress gen_id 1, sig_id 2406069
      suppress gen_id 1, sig_id 2406424
      suppress gen_id 1, sig_id 2500056
      suppress gen_id 1, sig_id 100000230
      suppress gen_id 3, sig_id 14772
      #(http_inspect) DOUBLE DECODING ATTACK
      suppress gen_id 119, sig_id 2
      #(http_inspect) BARE BYTE UNICODE ENCODING
      suppress gen_id 119, sig_id 4
      #(http_inspect) IIS UNICODE CODEPOINT ENCODING
      suppress gen_id 119, sig_id 7
      #(http_inspect) NON-RFC DEFINED CHAR [**]
      suppress gen_id 119, sig_id 14
      #(http_inspect) UNKNOWN METHOD
      suppress gen_id 119, sig_id 31
      #(http_inspect) SIMPLE REQUEST
      suppress gen_id 119, sig_id 32
      #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
      suppress gen_id 120, sig_id 2
      #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
      suppress gen_id 120, sig_id 3
      #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
      suppress gen_id 120, sig_id 4
      #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
      suppress gen_id 120, sig_id 6
      #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
      suppress gen_id 120, sig_id 8
      #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
      suppress gen_id 120, sig_id 9

      Unknown

      suppress gen_id 120, sig_id 10
      suppress gen_id 122, sig_id 19
      suppress gen_id 122, sig_id 21
      suppress gen_id 122, sig_id 22
      suppress gen_id 122, sig_id 23
      suppress gen_id 122, sig_id 26
      #(spp_frag3) Bogus fragmentation packet. Possible BSD attack
      suppress gen_id 123, sig_id 10
      #(smtp) Attempted response buffer overflow: 1448 chars
      suppress gen_id 124, sig_id 3
      #(ftp_telnet) Invalid FTP Command
      suppress gen_id 125, sig_id 2
      #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
      suppress gen_id 137, sig_id 1

      Credit Card Numbers

      suppress gen_id 138, sig_id 2

      U.S. Social Security Numbers (with dashes)

      suppress gen_id 138, sig_id 3

      U.S. Social Security Numbers (w/out dashes)

      suppress gen_id 138, sig_id 4

      Email Addresses

      suppress gen_id 138, sig_id 5

      U.S. Phone Numbers

      suppress gen_id 138, sig_id 6
      #(spp_sip) Maximum dialogs within a session reached
      suppress gen_id 140, sig_id 27
      #(IMAP) Unknown IMAP4 command
      suppress gen_id 141, sig_id 1

      Thank you,
      Warren

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        There will be a description on the ALERTS tab for the alert generated by the IP address.  Post that alert description here.  If you are sure the alert is a false positive, you can either suppress that entire SID, or just suppress the SID when the IP matches the one in question.

        Post the actual alert description that is printed along with the blocked IP either on the ALERTS tab or the BLOCKS tab.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post