Main Archive Page > Month Archives  > snort-users archives

Re: [Snort-users] alert suppression

From: Jefferson, Shawn <Shawn.Jefferson_at_nospam>
Date: Wed May 06 2009 - 20:28:50 GMT
To: Joel Esler <jesler@sourcefire.com>

Hi,

1. I'm not sure. I didn't even know that this alert could be triggered by a rule instead of the pre-processor. How would I figure out which rule(s) may be triggering the taq: tagged packet alert? What's the purpose of this alert?
2. I'll take another look at the readme for the dcerpc2 preprocessor. Maybe I can set some alert suppression for these in the threshold.conf file instead...

Thanks for your help,
Shawn

---

From: Joel Esler [mailto:jesler@sourcefire.com] Sent: May 05, 2009 4:39 PM
To: Jefferson, Shawn
Cc: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] alert suppression

What alert is generating the tag alerts? Is it a rule, or is it the stream preprocessor? (grep your rules files for the word "Tag". I think there is only 1 rule in the VRT ruleset with tag turned on by default.

As for the dcerpc2 preprocessor, take a look at the readme. It has an "events none" configuration option for your snort.conf.

J
On Tue, May 5, 2009 at 6:25 PM, Jefferson, Shawn <Shawn.Jefferson@bcferries.com<mailto:Shawn.Jefferson@bcferries.com>> wrote: Hi,

I want to suppress some alerts I've been getting, specifically the tag: tagged packet. I've tried putting "suppress gen_id 2, sig_id 1" in the threshold.conf file, but this doesn't seem to be working. Is there a better way to suppress this alert? Especially if there is a method that is better performance-wise. I've looked around in the documentation and didn't see anything specific to the tag: tagged packet alert.

Also, the new dcerpc2 preprocesser is pretty noisy in my environment, creating quite a few alerts each day. Can anyone share any tuning advice for this?

Thanks,
Shawn

---

The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com

---

Snort-users mailing list
Snort-users@lists.sourceforge.net<mailto:Snort-users@lists.sourceforge.net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- joel esler | Sourcefire | gtalk: jesler_at_sourcefire.com<mailto:jesler_at_sourcefire.com> | 302-223-5974 | http://twitter.com/joelesler

------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com

_______________________________________________
Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

• This message: [ Message body ]
• Next message: Joel Esler: "Re: [Snort-users] alert suppression"
• Previous message: Zultan: "Re: [Snort-users] snortrules-snapshot not sustainable?"
• In reply to: Joel Esler: "Re: [Snort-users] alert suppression"
• Next in thread: Joel Esler: "Re: [Snort-users] alert suppression"
• Reply: Joel Esler: "Re: [Snort-users] alert suppression"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]