Snort supress list

Kryptos1

Can anyone post the command to use for adding an IP to Snort's supress list? Where are the suppress lists stored?

MikeV7896

@Kryptos1:

Can anyone post the command to use for adding an IP to Snort's supress list? Where are the suppress lists stored?

That would be a great question for the IDS/IPS forum…

Kryptos1

Id like to add the commands to these cheat sheets.

bmeeks

@Kryptos1:

Can anyone post the command to use for adding an IP to Snort's supress list? Where are the suppress lists stored?

The suppress list is a text file stored in a sub-directory unique to the interface.  There is no API for adding to the list from a third-party application.  There are icons on the ALERTS tab that can be clicked, and those icons will execute some PHP code that adds an IP to the list for the interface.

Bill

Kryptos1

Hello Bill,

Thank you for the reply. I found where the snort configuration files were. If someone modifies the suppress list texts with a text editor, what would be the command to restart/reload snort so that text file is reread and loaded? I'm trying to learn and document all the commands necessary to manage snort/pfsense remotely over ssh.

Chris

bmeeks

@Kryptos1:

Hello Bill,

Thank you for the reply. I found where the snort configuration files were. If someone modifies the suppress list texts with a text editor, what would be the command to restart/reload snort so that text file is reread and loaded? I'm trying to learn and document all the commands necessary to manage snort/pfsense remotely over ssh.

Chris

There is a shell script (/usr/local/etc/rc.d/snort.sh) that you can execute to restart Snort. Just call that script with one of these arguments:  start, stop or restart.  I suspect restart is the one you want to use.  The shell script will impact all of the configured Snort interfaces.

Bill