How do you manage your Snort Suppress List?

FlashPan

Hi People,

Not sure if you would describe this as a "best practice" question but was scrolling through my suppress list and it occured to me that on what depends you use in snort it can get quite long or cluttered and hard to ID different exceptions etc.

When I create or add a supression I annotate it (- SB xxxxxxxxx) eg:

#ET POLICY Data POST to an image file (jpg) - SB Allow Pics to Upload to Externl Website
suppress gen_id 1, sig_id 2010067

#ET INFO EXE - Served Attached HTTP - SB Allow linking of files to download/MS WSUS Download
suppress gen_id 1, sig_id 2014520

#(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE - SB Allow Microsoft Updates to WSUS
suppress gen_id 120, sig_id 4

#ET POLICY Python-urllib/ Suspicious User Agent - SB Allow AMD Graphics Card Update
#suppress gen_id 1, sig_id 2013031, track by_dst, ip 62.253.72.25

#ET POLICY Python-urllib/ Suspicious User Agent - SB Allow AMD Graphics Card Update
#suppress gen_id 1, sig_id 2013031, track by_dst, ip 209.49.122.59

#ET POLICY Vulnerable Java Version 1.7.x Detected - SB Allow Sony Mobile Emma
suppress gen_id 1, sig_id 2014297, track by_dst, ip 93.184.221.76

#ET SCAN Sipvicious Scan - SB Allow Sony Mobile Emma
suppress gen_id 1, sig_id 2008578, track by_src, ip 199.217.113.243

#ET SCAN Sipvicious User-Agent Detected (friendly-scanner) - SB Allow Sony Mobile Emma
suppress gen_id 1, sig_id 2011716, track by_src, ip 199.217.113.243

#APP-DETECT TeamViewer remote administration tool outbound connection attempt - SB Allow Teamviewer Outbound Connection
suppress gen_id 1, sig_id 34463

So with this in mind I was thinking how best to manage/review your entries.  I think supressions are listed in teh order of time when they are added.

What does the community think (or do)?  Keep the list in Alphabetical order, supress gen_id order, Personal anotation order or ? for better management?

Cheers

bmeeks

I would say management of the Suppress List is likely a personal preference thing.  I don't think there is necessarily a right or wrong way to do it.  Like you, I tend to put comments in mine as well and separate the entries with a blank line.  I don't current put them in any kind of specific order, though.  The default arrangement is of course most recent entry is at the bottom of the file.

Bill

simby

Bill can you please share your list or. PM? Please,..

bmeeks

@simby:

Bill can you please share your list or. PM? Please,..

Here is what I have on my home firewall.  I have not added or removed entries in quite some time…

#"(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED"
suppress gen_id 120, sig_id 10

#"(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE"
suppress gen_id 120, sig_id 4

#"(http_inspect) NON-RFC DEFINED CHAR"
suppress gen_id 119, sig_id 14

#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7

#"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"
suppress gen_id 1, sig_id 16482

#"ET TROJAN Suspicious Malformed Double Accept Header"
suppress gen_id 1, sig_id 2008975

#"GPL WEB_CLIENT PNG large colour depth download attempt"
suppress gen_id 1, sig_id 2103134

#"FILE-IDENTIFY download of executable content"
suppress gen_id 1, sig_id 11192

#"FILE-IDENTIFY Portable Executable binary file magic detected"
suppress gen_id 1, sig_id 15306

#ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection
suppress gen_id 1, sig_id 2013479

#ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection
suppress gen_id 1, sig_id 2013479

#ET INFO Packed Executable Download
suppress gen_id 1, sig_id 2014819

#(smtp) Attempted response buffer overflow: 1448 chars
suppress gen_id 124, sig_id 3

#(http_inspect) UNESCAPED SPACE IN HTTP URI
suppress gen_id 119, sig_id 33

#(http_inspect) TOO MANY PIPELINED REQUESTS
suppress gen_id 119, sig_id 34