snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] alert suppression

Re: [Snort-users] alert suppression

From: Jefferson, Shawn <Shawn.Jefferson_at_nospam>
Date: Wed May 06 2009 - 20:44:02 GMT
To: Joel Esler <jesler@sourcefire.com>


Hi,

Yes I am running some of the emerging-threats rules, and grepping for "tag:" shows quite a few rules that use it.

Is there no way to determine which rule is generating the "tag: tagged packet" alert? What is it for exactly?

--

Shawn



From: Joel Esler [mailto:jesler@sourcefire.com] Sent: May 06, 2009 1:34 PM
To: Jefferson, Shawn
Cc: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] alert suppression

You can grep, for the word "tag".

Like I said, there is only one VRT rule that has it turned on, otherwise the alerts are probably coming from pseudo packets out of some preprocessor. If you running a ruleset from other rule repositories, there are lots of rules with "tag" in the Emerging-Threats rules.

J
On Wed, May 6, 2009 at 4:28 PM, Jefferson, Shawn <Shawn.Jefferson@bcferries.com<mailto:Shawn.Jefferson@bcferries.com>> wrote:

Hi,

  1. I'm not sure. I didn't even know that this alert could be triggered by a rule instead of the pre-processor. How would I figure out which rule(s) may be triggering the taq: tagged packet alert? What's the purpose of this alert?
  2. I'll take another look at the readme for the dcerpc2 preprocessor. Maybe I can set some alert suppression for these in the threshold.conf file instead...

Thanks for your help,

Shawn


From: Joel Esler [mailto:jesler@sourcefire.com<mailto:jesler@sourcefire.com>] Sent: May 05, 2009 4:39 PM
To: Jefferson, Shawn
Cc: snort-users@lists.sourceforge.net<mailto:snort-users@lists.sourceforge.net> Subject: Re: [Snort-users] alert suppression

What alert is generating the tag alerts? Is it a rule, or is it the stream preprocessor? (grep your rules files for the word "Tag". I think there is only 1 rule in the VRT ruleset with tag turned on by default.

As for the dcerpc2 preprocessor, take a look at the readme. It has an "events none" configuration option for your snort.conf.

J

On Tue, May 5, 2009 at 6:25 PM, Jefferson, Shawn <Shawn.Jefferson@bcferries.com<mailto:Shawn.Jefferson@bcferries.com>> wrote:

Hi,

I want to suppress some alerts I've been getting, specifically the tag: tagged packet. I've tried putting "suppress gen_id 2, sig_id 1" in the threshold.conf file, but this doesn't seem to be working. Is there a better way to suppress this alert? Especially if there is a method that is better performance-wise. I've looked around in the documentation and didn't see anything specific to the tag: tagged packet alert.

Also, the new dcerpc2 preprocesser is pretty noisy in my environment, creating quite a few alerts each day. Can anyone share any tuning advice for this?

Thanks,

Shawn



The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com

Snort-users mailing list
Snort-users@lists.sourceforge.net<mailto:Snort-users@lists.sourceforge.net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

--

joel esler | Sourcefire | gtalk: jesler_at_sourcefire.com<mailto:jesler_at_sourcefire.com> | 302-223-5974 | http://twitter.com/joelesler

--

joel esler | Sourcefire | gtalk: jesler_at_sourcefire.com<mailto:jesler_at_sourcefire.com> | 302-223-5974 | http://twitter.com/joelesler



The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com



Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users