Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Excluding Alerts - How To?

BASE-user
j_g
2007-06-08
2013-06-03
  • j_g
    j_g
    2007-06-08

    Hello List! Thanks so much for providing this forum to post questions and for taking the time to answer our questions!

    I've now got Snort & Barnyard installed on two of my servers and BASE logging alerts from both of them! However, I'd like to exclude some of the alerts from one of my servers that are currently being logged. I want to exclude any messages that contain the word 'SNMP' and come from a specific ip addresses; how can I configure BASE to stop logging these?

    Thanks for your time and help!
    -jg

     
    • j_g
      j_g
      2007-06-08

      I should probably also specify that I'm using version 1.3.6 of BASE.

      Thanks!

       
      • kryptikET
        kryptikET
        2007-06-08

        The easiest way to do this is to configure your threshold.conf file.  Generally found in /etc/snort/rules/threshold.conf.  (Note: Ensure the following line "include /etc/snort/rules/threshold.conf" exists in /etc/snort.conf).

        Then you would add lines similar to the following:

        #name of Rule
        suppress gen_id 1, sig_id 1564, track by_dst, ip 1.1.1.1
        suppress gen_id 1, sig_id 2003020, track by_src, ip 1.1.1.1

        Where sig_id = the sid: #### located in .rules file
        and track_by_dst means the destination IP
        and track_by_src means the source IP

        Here is an example using the first rule in the /etc/snort/rules/snmp.rules file
        <snip from snmp.rules>
        alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string
        attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; refere
        nce:cve,1999-0517; classtype:misc-attack; sid:1893; rev:4;)
        </snip>

        so if we wanted to block all alerts on this rule from 192.168.0.1 and all alerts to 10.0.0.1 we would add the following to the threshold.conf file:

        #SNMP missing community string
        suppress gen_id 1, sig_id 1893, track by_dst, ip 10.0.0.1
        suppress gen_id 1, sig_id 1893, track by_src, ip 192.168.0.1

        Once you add the text, restart snort.  If snort doesn't restart, your syntax isn't correct.

         
    • j_g
      j_g
      2007-06-08

      I thought I might have had an answer, but it didn't work - I tried something on the Snort side of things...

      I tried to write some "Suppression" rules in the 'threshold.conf' file that look like:

      suppress gen_id 1, sig_id 1411, track by_src, ip MY.SRC.IP.ADDR
      suppress gen_id 1, sig_id 1417, track by_src, ip MY.SRC.IP.ADDR

      I know the sig_id's are correct from the sid-msg.map file and the text in the messages I was receiving, the only thing I'm not sure of is the gen_id #.

      I cleared out my DB and all log files, etc., and restarted Snort & Barnyard on both servers -> but, when it starts logging events in BASE again, I'm still seeing these messages that I thought I had just suppressed...

      Any thoughts/ideas from the experts??

      Thanks!!
      -jg

       
    • j_g
      j_g
      2007-06-08

      Thanks for the reply...so I was on the right track.  Just got caught on one snafu - in the snort.conf the following is commented out by default and I just had to uncomment it:

      #include threshold.conf

      Once I did that and restarted it, I was not seeing those events come through any longer.

      Have a super weekend!
      -jg

       
      • kryptikET
        kryptikET
        2007-06-09

        No problem.  I guess if I'd read the entire thread before posting, I wouldn't have had such a lengthy reply... sry.