what is diff between the two sigs?<br><br><div class="gmail_quote">On Fri, Mar 22, 2013 at 2:31 PM, Stefan Sabolowitsch <span dir="ltr"><<a href="mailto:Stefan.Sabolowitsch@felten-group.com" target="_blank">Stefan.Sabolowitsch@felten-group.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
maybe yes, when i see this issues….
<div><br>
</div>
<div>
<div>
<div>Am 22.03.2013 um 14:27 schrieb Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></div>
<div>:</div><div><div class="h5">
<br>
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On Fri, Mar 22, 2013 at 2:13 PM, Stefan Sabolowitsch <span dir="ltr">
<<a href="mailto:Stefan.Sabolowitsch@felten-group.com" target="_blank">Stefan.Sabolowitsch@felten-group.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div>Hi Peter,</div>
<div>what i see is the following.</div>
<div><br>
</div>
<div>this works:</div>
<div><br>
</div>
<div>global threshold</div>
<div>suppress gen_id 0, sig_id 0, track by_src, ip 192.168.1.25</div>
<div>suppress gen_id 0, sig_id 0, track by_dst, ip 192.168.1.25</div>
<div><br>
</div>
<div>Suppress this event completely</div>
<div>
<div># gen_id_1</div>
<div>suppress gen_id 1, sig_id 536</div>
<div>#"GPL SHELLCODE x86 NOOP"</div>
<div>suppress gen_id 1, sig_id 648</div>
<div>#GPL SHELLCODE x86 0x90 unicode NOOP</div>
<div>suppress gen_id 1, sig_id 653</div>
<div># This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines.</div>
<div>suppress gen_id 1, sig_id 1390</div>
<div>suppress gen_id 1, sig_id 2452</div>
<div>suppress gen_id 1, sig_id 8375</div>
</div>
<div><br>
</div>
<div>but not this rules (sig_id, src, dst, IP)</div>
<div>
<div>suppress gen_id 139, sig_id 430, track by_src, ip 192.168.1.37</div>
<div>suppress gen_id 139, sig_id 430, track by_dst, ip 192.168.1.37</div>
<div>
<div>suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37</div>
<div>suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37</div>
</div>
</div>
</div>
</blockquote>
<div>so anything with asid longer than 4 digits? <br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div>
<div></div>
<div>suppress gen_id 139, sig_id 2100498, track by_src, ip 192.168.1.37</div>
<div>suppress gen_id 139, sig_id 2100498, track by_src, ip 192.168.1.37</div>
<div>suppress gen_id 139, sig_id 2102123, track by_src, ip 192.168.1.37</div>
<div>suppress gen_id 139, sig_id 2102123, track by_dst, ip 192.168.1.37</div>
</div>
<div><br>
</div>
<div> </div>
<br>
<div>
<div>Am 22.03.2013 um 14:05 schrieb Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></div>
<div>:</div>
<div>
<div><br>
<blockquote type="cite">Hi Stefan,<br>
<br>
So you are saying it was working before... and now it is not again?<br>
Thanks<br>
<br>
<div class="gmail_quote">On Fri, Mar 22, 2013 at 2:03 PM, Stefan Sabolowitsch <span dir="ltr">
<<a href="mailto:Stefan.Sabolowitsch@felten-group.com" target="_blank">Stefan.Sabolowitsch@felten-group.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div>Hi all,</div>
<div>i have here latest suricata (in IPS mode) on Centos 6.4 with 3.8 Kernel.</div>
<div><br>
</div>
<div>this rules</div>
<div><br>
</div>
<div>
<div>suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37</div>
<div>suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37</div>
</div>
<div><br>
</div>
<div>or this will not work</div>
<div><br>
</div>
<div>
<div>suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.100.120</div>
<div>suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.100.120</div>
</div>
<div><br>
</div>
<div>i get always this alarm on suri (no errors seen in sure log file)</div>
<div><br>
</div>
<div>
<pre style="margin-top:0px;padding:0px;line-height:16px;color:rgb(57,57,57);text-align:left"><font face="Calibri">Mar 22 01:59:19 ipd1 snort[7533]: [1:2002068:8] ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon [Classification: Attempted Information Leak] [Priority: 2] {TCP} <a href="http://192.168.100.120:10000/" target="_blank">192.168.100.120:10000</a> -> <a href="http://192.168.1.37:59918/" target="_blank">192.168.1.37:59918</a>
</font></pre>
</div>
<div>any help here ?</div>
<div><br>
</div>
<div>Best regards</div>
<span><font color="#888888">
<div>Stefan</div>
</font></span></div>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">
oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org/" target="_blank">http://suricata-ids.org</a> | Support:
<a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>Regards,</div>
<div>Peter Manev</div>
</blockquote>
</div>
</div>
</div>
<br>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>Regards,</div>
<div>Peter Manev</div>
</blockquote>
</div></div></div>
<br>
</div>
</div>
</blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div>