[Oisf-users] threshold will not work on suricata v1.4.1

Peter Manev petermanev at gmail.com
Fri Mar 22 13:27:00 UTC 2013


On Fri, Mar 22, 2013 at 2:13 PM, Stefan Sabolowitsch <
Stefan.Sabolowitsch at felten-group.com> wrote:

>  Hi Peter,
> what i see is the following.
>
>  this works:
>
>  global threshold
> suppress gen_id 0, sig_id 0, track by_src, ip 192.168.1.25
> suppress gen_id 0, sig_id 0, track by_dst, ip 192.168.1.25
>
>  Suppress this event completely
>  # gen_id_1
> suppress gen_id 1, sig_id 536
> #"GPL SHELLCODE x86 NOOP"
> suppress gen_id 1, sig_id 648
> #GPL SHELLCODE x86 0x90 unicode NOOP
> suppress gen_id 1, sig_id 653
> # This set of instructions can be used as a NOOP to pad buffers on an x86
> architecture machines.
> suppress gen_id 1, sig_id 1390
> suppress gen_id 1, sig_id 2452
> suppress gen_id 1, sig_id 8375
>
>  but not this rules (sig_id, src, dst, IP)
>  suppress gen_id 139, sig_id 430, track by_src, ip 192.168.1.37
> suppress gen_id 139, sig_id 430, track by_dst, ip 192.168.1.37
> suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37
>
so anything with asid longer than 4 digits?

> suppress gen_id 139, sig_id 2100498, track by_src, ip 192.168.1.37
> suppress gen_id 139, sig_id 2100498, track by_src, ip 192.168.1.37
> suppress gen_id 139, sig_id 2102123, track by_src, ip 192.168.1.37
> suppress gen_id 139, sig_id 2102123, track by_dst, ip 192.168.1.37
>
>
>
>  Am 22.03.2013 um 14:05 schrieb Peter Manev <petermanev at gmail.com>
> :
>
> Hi Stefan,
>
> So you are saying it was working before... and now it is not again?
> Thanks
>
> On Fri, Mar 22, 2013 at 2:03 PM, Stefan Sabolowitsch <
> Stefan.Sabolowitsch at felten-group.com> wrote:
>
>>  Hi all,
>> i have here latest suricata (in IPS mode) on Centos 6.4 with 3.8 Kernel.
>>
>>  this rules
>>
>>  suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
>> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37
>>
>>  or this will not work
>>
>>  suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.100.120
>> suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.100.120
>>
>>  i get always this alarm on suri  (no errors seen in sure log file)
>>
>>  Mar 22 01:59:19 ipd1 snort[7533]: [1:2002068:8] ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.120:10000 -> 192.168.1.37:59918
>>
>>  any help here ?
>>
>>  Best regards
>>  Stefan
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
>
>
> --
> Regards,
> Peter Manev
>
>
>


-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130322/4689213c/attachment-0002.html>


More information about the Oisf-users mailing list