[Oisf-users] Alerts' suppression
Kirill Sluchanko
KSluchanko at polikom.ru
Wed Jul 17 12:28:43 UTC 2013
OK, let's start from the other end.
My task is to remove alerts for some rule from unified2.alerts as these
alerts uselessly poisoning Snorby's database.
As I got no replies on previous message I've tried to experiment with
threshold settings. First of all I've enabled drop.log (as, for some
reasons, it is the only way I can use to find if the packets are
dropped).
Then I've enabled threshold file in suricata.yaml and create
threshold.config with following content:
suppress gen_id 1, sig_id 2200075
Restart Suricata - and first try failed. Too few records in drop.log. I
think it means that packets matching the rule is not dropped - and when
I have commented the string above and restarted Suricata, drop.log shows
that packets of interest are dropping.
Well, let's try another way - I have changed content of threshold.conf
to following string:
threshold gen_id 1, sig_id 2200075, type threshold, track by_src,
count 1000, seconds 1000
Restart Suricata - still no luck; drop.log shows that nothing is
dropped. Comment the string and restart Suricata - drop.log shows that
packets are dropping.
The question is - what's wrong with my approach? Or maybe it is
something wrong with Suricata? For example, I suspect that 'suppress' or
'threshold' usage can influence dropped packets logging.
--
С уважением, Best regards,
Кирилл Случанко Kirill Sluchanko
Ведущий инженер Senior engineer
Отдел системной интеграции Systems Integration Department
KSluchanko at polikom.ru KSluchanko at polikom.ru
ICQ: 58533620 Skype: KSluchanko ICQ: 58533620 Skype: KSluchanko
тел.: +7 (812) 325 84 00 #182 phone: +7 (812) 325 84 00 #182
—————————————————————————————————— ——————————————————————————————————
ЗАО «Поликом Про» Polikom Pro JSC
Системный интегратор Systems Integrator
195197, Россия, Санкт-Петербург 195197 Russia, St. Petersburg
пр. Полюстровский, дом 59, литер Э 59 liter E Poliustrovskiy prospekt
тел.: +7 (812) 325 84 00 phone: +7 (812) 325 84 00
факс: +7 (812) 320 56 86 fax: +7 (812) 320 56 86
www.polikom.ru info at polikom.ru www.polikom.ru info at polikom.ru
В Пн, 15/07/2013 в 13:50 +0000, Kirill Sluchanko пишет:
> Hi,
>
> Suricata's Wiki contains following text in Global-Thresholds section:
>
> -------------------------------------------------------------------------------
> suppress
>
> Suppressions can be used to suppress alerts for a rule or a
> host/network. Actions performed when a rule matches, such as setting a
> flowbit, are still performed.
>
> Syntax:
>
> suppress gen_id <gid>, sig_id <sid>
> suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|
> subnet>
>
> Example:
>
> suppress gen_id 1, sig_id 2002087, track by_src, ip 209.132.180.67
>
> This will make sure the signature 2002087 will never match for src host
> 209.132.180.67.
> -------------------------------------------------------------------------------
>
> In the first paragraph we see that 'suppress' suppresses alerts for the
> rule while other actions still performed when rule matches. OK, that's
> exactly what I need - drop UDP with invalid checksums but suppress
> alerts on it to keep my logs clear.
>
> But then we have usage example for 'suppress' - and explanation says
> that 'suppress' makes signature never matching. Wow... looks like if I
> will use 'suppress' for my rule, which is dropping UDP packets with
> invalid checksums, it will never match and packets I want to drop will
> pass. Not good.
>
> Which is true? And, of course Global-Thresholds section in Wiki should
> be corrected to be precise and single meaning.
>
> Best regards,
> Cyril Sluchanko
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
More information about the Oisf-users
mailing list