Hello all.
I am trying to modify snort rules in downloaded.rules.
I am getting large amout of same alerts towards one IP address which I know are not harmful, for example getting a group policy batch file from an AD (10.10.10.1) . I don't want the alerts for this IP address regarding the SID. I modified the rule in downloaded.rules for that particular SID like:- alert any any -> $HOME_NET 445 .......
To
alert any any -> !10.10.10.1 445 ......
Then I updated rules using- rule-update
But I am still getting alerts for that IP too.
Any other suggestions?
Regards
Naveen
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks Ron, I had run a rule-update on NST terminal, it restarted all the services including snort as well. And I can still see the rule modified in downloaded.rulesfile.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Now I got another issue. I thought to give threshold.conf a try. Defined the IP address as source and destination to be ignored as below:-
suppress gen_id 1, sig_id 2025707, track by_src, ip 10.10.10.1
suppress gen_id 2, sig_id 2025707, track by_dst, ip 10.10.10.1
And restarted snort by- sudo nsm_sensor_ps-restart --only-snort-alert
Also did run- rule-update later.
The logs stopped coming for a while, but again the logs started appearing again on snorby.
Last edit: naveen kriss 2019-02-14
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello all.
I am trying to modify snort rules in downloaded.rules.
I am getting large amout of same alerts towards one IP address which I know are not harmful, for example getting a group policy batch file from an AD (10.10.10.1) . I don't want the alerts for this IP address regarding the SID. I modified the rule in downloaded.rules for that particular SID like:- alert any any -> $HOME_NET 445 .......
To
alert any any -> !10.10.10.1 445 ......
Then I updated rules using- rule-update
But I am still getting alerts for that IP too.
Any other suggestions?
Regards
Naveen
Naveen:
The snort process needs to be reloaded after any rule updates. Did you reload the snort process?
---Ron Henderon
On 2/8/19, 4:22 AM, "naveen kriss" clockwise07@users.sourceforge.net wrote:
Thanks Ron, I had run a rule-update on NST terminal, it restarted all the services including snort as well. And I can still see the rule modified in downloaded.rulesfile.
Now I got another issue. I thought to give threshold.conf a try. Defined the IP address as source and destination to be ignored as below:-
suppress gen_id 1, sig_id 2025707, track by_src, ip 10.10.10.1
suppress gen_id 2, sig_id 2025707, track by_dst, ip 10.10.10.1
And restarted snort by- sudo nsm_sensor_ps-restart --only-snort-alert
Also did run- rule-update later.
The logs stopped coming for a while, but again the logs started appearing again on snorby.
Last edit: naveen kriss 2019-02-14