Re: Snort Network Suppression

On 14/12/2007, Jonathan Askew JBASKEW <JBASKEW@xxxxxxxx> wrote:

I am new to IDS and have just set up snort on a ubuntu host. It has worked
well except for the fact that I am getting some false positivies from local
traffic on the network. I have been trying to find the solution on snort's
forums but the site seems to be going up and down randomly. I want to set a
rule in order to suppress/ignore local network traffic for 192.168.1.0/24.
I know this can be done in the /etc/threshold.conf file but have not been
able to do so successfully. Can someone be so kind as to post their
threshold.conf file or guide me through the process?

Hi there,

I haven't tried the threshold stuff myself - but can you post your
threshold.conf ? The doco suggests something like this:

suppress gen_id 1, sig_id 1852, track by_dst, ip 192.168.1.0/24

for each sid (1852 in this case) you want to suppress. I would track
by destination, because often the alerts indicating outgoing attacks
are the interesting ones. (The internet attacking you is not news, you
attacking the internet definitely is news.)

You might do better with this query on snort-users:
https://lists.sourceforge.net/lists/listinfo/snort-users

cheers,
Jamie
--
Jamie Riden / jamesr@xxxxxxxxxx / jamie@xxxxxxxxxxxxxxx
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • RE: Intrusion Prevention
    ... Coverage what can it detect; this covers basic attacks, ... IDS purchase. ... While doing these implementations and while working in an IDS vendor I ... sometimes we're told that we cannot see the testing methodology upfront. ...
    (Focus-IDS)
  • RE: Changes in IDS Companies?
    ... This means you need a standard IDS sitting behind it/next to it watching the ... Things like port scans and DoS attacks ... >>> If people are running insecure web servers, ... > Pretty sad state of affairs, when people don't update their patches at ...
    (Focus-IDS)
  • RE: Best Method(s) for signature verification.
    ... on this list - and other IDS lists - for the means to test their IDS ... When I say we use IDS Informer for our signature recognition testing, ... should point out that we do NOT use all the default attacks! ... (IIS attacks run against Apache web servers on Unix - "real ...
    (Focus-IDS)
  • Re: How to choose an IDS/FW MSS provider
    ... First, "recording everything" is not what IDS's were EVER meant for, ... others can create "audit" trails of every web request, every mail, every ... >detect attacks by inspecting layer 3 headers for prohibited IP ... >facility with an IDS or IPS deployed. ...
    (Focus-IDS)
  • Re: Alarming (was protocol analysis)
    ... Obviously, there are different ways to "detect" attacks, but John uses the ... no one should ever "rely" on any IDS for our ... As for Johns Metaphor of the motion sensor vs the pressure sensor, ... toward Intrusion Prevention as opposed to just Intrusion Detection. ...
    (Focus-IDS)
Loading