Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo
Hello List! Thanks so much for providing this forum to post questions and for taking the time to answer our questions!
I've now got Snort & Barnyard installed on two of my servers and BASE logging alerts from both of them! However, I'd like to exclude some of the alerts from one of my servers that are currently being logged. I want to exclude any messages that contain the word 'SNMP' and come from a specific ip addresses; how can I configure BASE to stop logging these?
Thanks for your time and help!
I should probably also specify that I'm using version 1.3.6 of BASE.
The easiest way to do this is to configure your threshold.conf file. Generally found in /etc/snort/rules/threshold.conf. (Note: Ensure the following line "include /etc/snort/rules/threshold.conf" exists in /etc/snort.conf).
Then you would add lines similar to the following:
#name of Rule
suppress gen_id 1, sig_id 1564, track by_dst, ip 22.214.171.124
suppress gen_id 1, sig_id 2003020, track by_src, ip 126.96.36.199
Where sig_id = the sid: #### located in .rules file
and track_by_dst means the destination IP
and track_by_src means the source IP
Here is an example using the first rule in the /etc/snort/rules/snmp.rules file
<snip from snmp.rules>
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string
attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; refere
nce:cve,1999-0517; classtype:misc-attack; sid:1893; rev:4;)
so if we wanted to block all alerts on this rule from 192.168.0.1 and all alerts to 10.0.0.1 we would add the following to the threshold.conf file:
#SNMP missing community string
suppress gen_id 1, sig_id 1893, track by_dst, ip 10.0.0.1
suppress gen_id 1, sig_id 1893, track by_src, ip 192.168.0.1
Once you add the text, restart snort. If snort doesn't restart, your syntax isn't correct.
I thought I might have had an answer, but it didn't work - I tried something on the Snort side of things...
I tried to write some "Suppression" rules in the 'threshold.conf' file that look like:
suppress gen_id 1, sig_id 1411, track by_src, ip MY.SRC.IP.ADDR
suppress gen_id 1, sig_id 1417, track by_src, ip MY.SRC.IP.ADDR
I know the sig_id's are correct from the sid-msg.map file and the text in the messages I was receiving, the only thing I'm not sure of is the gen_id #.
I cleared out my DB and all log files, etc., and restarted Snort & Barnyard on both servers -> but, when it starts logging events in BASE again, I'm still seeing these messages that I thought I had just suppressed...
Any thoughts/ideas from the experts??
Thanks for the reply...so I was on the right track. Just got caught on one snafu - in the snort.conf the following is commented out by default and I just had to uncomment it:
Once I did that and restarted it, I was not seeing those events come through any longer.
Have a super weekend!
No problem. I guess if I'd read the entire thread before posting, I wouldn't have had such a lengthy reply... sry.