[Oisf-users] threshold will not work on suricata v1.4.1

Stefan Sabolowitsch Stefan.Sabolowitsch at felten-group.com
Fri Mar 22 13:31:14 UTC 2013


maybe yes, when i see this issues….

Am 22.03.2013 um 14:27 schrieb Peter Manev <petermanev at gmail.com<mailto:petermanev at gmail.com>>
:



On Fri, Mar 22, 2013 at 2:13 PM, Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> wrote:
Hi Peter,
what i see is the following.

this works:

global threshold
suppress gen_id 0, sig_id 0, track by_src, ip 192.168.1.25
suppress gen_id 0, sig_id 0, track by_dst, ip 192.168.1.25

Suppress this event completely
# gen_id_1
suppress gen_id 1, sig_id 536
#"GPL SHELLCODE x86 NOOP"
suppress gen_id 1, sig_id 648
#GPL SHELLCODE x86 0x90 unicode NOOP
suppress gen_id 1, sig_id 653
# This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines.
suppress gen_id 1, sig_id 1390
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 8375

but not this rules (sig_id, src, dst, IP)
suppress gen_id 139, sig_id 430, track by_src, ip 192.168.1.37
suppress gen_id 139, sig_id 430, track by_dst, ip 192.168.1.37
suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37
so anything with asid longer than 4 digits?
suppress gen_id 139, sig_id 2100498, track by_src, ip 192.168.1.37
suppress gen_id 139, sig_id 2100498, track by_src, ip 192.168.1.37
suppress gen_id 139, sig_id 2102123, track by_src, ip 192.168.1.37
suppress gen_id 139, sig_id 2102123, track by_dst, ip 192.168.1.37



Am 22.03.2013 um 14:05 schrieb Peter Manev <petermanev at gmail.com<mailto:petermanev at gmail.com>>
:

Hi Stefan,

So you are saying it was working before... and now it is not again?
Thanks

On Fri, Mar 22, 2013 at 2:03 PM, Stefan Sabolowitsch <Stefan.Sabolowitsch at felten-group.com<mailto:Stefan.Sabolowitsch at felten-group.com>> wrote:
Hi all,
i have here latest suricata (in IPS mode) on Centos 6.4 with 3.8 Kernel.

this rules

suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.1.37
suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.1.37

or this will not work

suppress gen_id 139, sig_id 2002068, track by_src, ip 192.168.100.120
suppress gen_id 139, sig_id 2002068, track by_dst, ip 192.168.100.120

i get always this alarm on suri  (no errors seen in sure log file)


Mar 22 01:59:19 ipd1 snort[7533]: [1:2002068:8] ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.120:10000<http://192.168.100.120:10000/> -> 192.168.1.37:59918<http://192.168.1.37:59918/>


any help here ?

Best regards
Stefan

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<http://suricata-ids.org/> | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/



--
Regards,
Peter Manev




--
Regards,
Peter Manev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130322/e1f8a07b/attachment-0002.html>


More information about the Oisf-users mailing list