ET code supress not working Snort



  • try to put this ET code in miy supresslist en UN block the IP adres

    1:2012966
    ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt

    after a visit to the website the IP is already back in the Snort alert list

    i click on supress this rule and deblock the IP adress again.

    When i visit the website the IP block's again.

    What do i wrong ? i try to make this IP on the white list ore the supress list.

    Do i restart Snort everytime i changed the list ?

    –-----------
    #ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt
    suppress gen_id 1, sig_id 2012966



  • Go to the SUPPRESS tab and find the list for your interface.  It will likely have a random number and the word "WAN" or "LAN" in the name.  Click to edit the file and make sure you see a line in there for the rule suppression.  If all that is OK, now go to the INTERFACE SETTNIGS tab for your WAN or LAN (as appropriate), and be sure the Suppress List drop-down near the bottom of the page is showing the same Suppress List name you saw on the SUPPRESS tab.  If not, select that list and save the change, then restart Snort.

    Bill



  • Hi

    I did exactly follow the instructios. Ad the rule to the supressed list , reload the website and again i get the alert ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt.

    I can't put it agian on the supressed list ( its said its already on the list.)

    I can disable the rule , and the website blocked again .



  • @Soonie:

    Hi

    I did exactly follow the instructios. Ad the rule to the supressed list , reload the website and again i get the alert ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt.

    I can't put it agian on the supressed list ( its said its already on the list.)

    I can disable the rule , and the website blocked again .

    It's possible you have two Snort instances running.  Go to a shell prompt and run this command:

    
    ps -ax |grep snort
    
    

    You should see only a single running instance of Snort assuming you have it running on only one interface.  If you see more Snort instances running than you have configured Snort interfaces, kill them all and then restart snort.  You can run /usr/local/etc/rc.d/snort.sh stop to stop Snort.  Then kill any Snort process that remains.  After that, run /usr/local/etc/rc.d/snort.sh start to restart your Snort interfaces.

    Bill



  • You should see only a single running instance of Snort assuming you have it running on only one interface.  If you see more Snort instances running than you have configured Snort interfaces, kill them all and then restart snort.  You can run /usr/local/etc/rc.d/snort.sh stop to stop Snort.  Then kill any Snort process that remains.  After that, run /usr/local/etc/rc.d/snort.sh start to restart your Snort interfaces.

    Bill

    I have Snort on the WAN

    i run the command i see this :

    15979  -  Is    7:28.29 /usr/local/bin/snort -R 45659 -D -l /var/log/snort/snor
    22577  -  S    0:00.00 sh -c ps -ax |grep snort 2>&1
    22839  -  S    0:00.00 grep snort
    67990  -  Is    1:21.87 /usr/local/bin/snort -R 45659 -D -l /var/log/snort/snor

    don't no of there is 1 ore 2 Snorts running ?



  • @Soonie:

    I have Snort on the WAN

    i run the command i see this :

    15979  -  Is    7:28.29 /usr/local/bin/snort -R 45659 -D -l /var/log/snort/snor
    22577  -  S    0:00.00 sh -c ps -ax |grep snort 2>&1
    22839  -  S    0:00.00 grep snort
    67990  -  Is    1:21.87 /usr/local/bin/snort -R 45659 -D -l /var/log/snort/snor

    don't no of there is 1 ore 2 Snorts running ?

    You have two running, and one of them is probably a sort of "zombie".  Kill them all and then restart Snort.  This happens now and then for some unknown reason.  Multiple instances get started on the same interface.  I have never been able to pin down the cause.

    The two lines showing /usr/local/bin/snort -R 45659 are the duplicate instances on the same interface.

    Bill



  • @bmeeks:

    @Soonie:

    You have two running, and one of them is probably a sort of "zombie".  Kill them all and then restart Snort.  This happens now and then for some unknown reason.  Multiple instances get started on the same interface.  I have never been able to pin down the cause.

    The two lines showing /usr/local/bin/snort -R 45659 are the duplicate instances on the same interface.

    Bill

    Oke ThX very much i kill the zombie ;-)