snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] alert suppression

Re: [Snort-users] alert suppression

From: Joel Esler <jesler_at_nospam>
Date: Wed May 06 2009 - 20:33:30 GMT
To: "Jefferson, Shawn" <Shawn.Jefferson@bcferries.com>


You can grep, for the word "tag".
Like I said, there is only one VRT rule that has it turned on, otherwise the alerts are probably coming from pseudo packets out of some preprocessor. If you running a ruleset from other rule repositories, there are lots of rules with "tag" in the Emerging-Threats rules.

J

On Wed, May 6, 2009 at 4:28 PM, Jefferson, Shawn < Shawn.Jefferson@bcferries.com> wrote:

> Hi,
>
>
>
> 1. Iím not sure. I didnít even know that this alert could be triggered
> by a rule instead of the pre-processor. How would I figure out which
> rule(s) may be triggering the taq: tagged packet alert? Whatís the purpose
> of this alert?
>
>
>
> 1. Iíll take another look at the readme for the dcerpc2 preprocessor.
> Maybe I can set some alert suppression for these in the threshold.conf file
> insteadÖ
>
>
>
> Thanks for your help,
>
> Shawn
>
>
> ------------------------------
>
> *From:* Joel Esler [mailto:jesler@sourcefire.com]
> *Sent:* May 05, 2009 4:39 PM
> *To:* Jefferson, Shawn
> *Cc:* snort-users@lists.sourceforge.net
> *Subject:* Re: [Snort-users] alert suppression
>
>
>
> What alert is generating the tag alerts? Is it a rule, or is it the stream
> preprocessor? (grep your rules files for the word "Tag". I think there is
> only 1 rule in the VRT ruleset with tag turned on by default.
>
>
>
> As for the dcerpc2 preprocessor, take a look at the readme. It has an
> "events none" configuration option for your snort.conf.
>
>
>
> J
>
> On Tue, May 5, 2009 at 6:25 PM, Jefferson, Shawn <
> Shawn.Jefferson@bcferries.com> wrote:
>
> Hi,
>
>
>
> I want to suppress some alerts Iíve been getting, specifically the tag:
> tagged packet. Iíve tried putting ďsuppress gen_id 2, sig_id 1Ē in the
> threshold.conf file, but this doesnít seem to be working. Is there a better
> way to suppress this alert? Especially if there is a method that is better
> performance-wise. Iíve looked around in the documentation and didnít see
> anything specific to the tag: tagged packet alert.
>
>
>
> Also, the new dcerpc2 preprocesser is pretty noisy in my environment,
> creating quite a few alerts each day. Can anyone share any tuning advice
> for this?
>
>
>
> Thanks,
>
> Shawn
>
>
>
>
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK
> i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> --
> joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974 |
> http://twitter.com/joelesler
>
-- joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974 | http://twitter.com/joelesler

------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com

_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users