{"id":188,"date":"2017-04-28T10:23:21","date_gmt":"2017-04-28T10:23:21","guid":{"rendered":"http:\/\/info.ffteixeira.net\/2017\/04\/28\/configure-thresholding-and-suppression-snort\/"},"modified":"2017-04-28T10:23:21","modified_gmt":"2017-04-28T10:23:21","slug":"configure-thresholding-and-suppression-snort","status":"publish","type":"post","link":"https:\/\/blog.ffteixeira.net\/?p=188","title":{"rendered":"Configure Thresholding and Suppression Snort"},"content":{"rendered":"<div>Thresholding:<\/div>\n<div>This feature is used to reduce the number of logged alerts for noisy rules.<\/div>\n<div>This can be tuned to significantly reduce false alarms, and it can also be&nbsp;used to write a newer breed of rules. Thresholding commands limit the number# of times a particular event is logged during a specified time interval.<\/div>\n<div>&nbsp;<\/div>\n<div>Edit:<\/div>\n<pre>\n#nano \/etc\/snort\/threshold.conf<\/pre>\n<div>&nbsp;<\/div>\n<div>Format<\/div>\n<div>&nbsp;<\/div>\n<div>The suppress configuration has two forms:<\/div>\n<pre>\nsuppress \\\n        gen_id &lt;gid&gt;, sig_id &lt;sid&gt;\n<\/pre>\n<p>&nbsp;<\/p>\n<pre>\nsuppress \\\n        gen_id &lt;gid&gt;, sig_id &lt;sid&gt;, \\\n        track &lt;by_src|by_dst&gt;, ip &lt;ip-list&gt;\n<\/pre>\n<p>&nbsp;<\/p>\n<p>Example:<\/p>\n<pre class=\"CodeBlock\">\n<code># snort: &quot;GPL ICMP_INFO PING *NIX&quot;\nsuppress gen_id 1, sig_id 2100366<\/code><\/pre>\n<p>&nbsp;<\/p>\n<div>\n<table border=\"1\" cellpadding=\"3\">\n<tbody>\n<tr>\n<th>Option<\/th>\n<th>Description<\/th>\n<\/tr>\n<tr>\n<td>gen_id &lt;gid&gt;<\/td>\n<td>\n<p>Specify the generator ID of an associated rule. gen_id 0, sig_id 0 can be used to specify a &quot;global&quot; threshold that applies to all rules.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>sig_id &lt;sid&gt;<\/td>\n<td>\n<p>Specify the signature ID of an associated rule. sig_id 0 specifies a &quot;global&quot; filter because it applies to all sig_ids for the given gen_id.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>track by_src|by_dst<\/td>\n<td>\n<p>Suppress by source IP address or destination IP address. This is optional, but if present, ip must be provided as well.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>ip &lt;list&gt;<\/td>\n<td>\n<p>Restrict the suppression to only source or destination IP addresses (indicated by track parameter) determined by &lt; list &gt;. If track is provided, ip must be provided as well.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"file-navigation js-zeroclipboard-container\">\n<div class=\"breadcrumb js-zeroclipboard-target\"><strong class=\"final-path\">Snort master suppress list<\/strong><\/div>\n<div class=\"breadcrumb js-zeroclipboard-target\">&nbsp;<\/div>\n<pre>\n#This event is generated when an attempt is made to gain access to private resources using Samba.\nsuppress gen_id 1, sig_id 536\n#GPL SHELLCODE x86 NOOP\nsuppress gen_id 1, sig_id 648\n#GPL SHELLCODE x86 0x90 unicode NOOP\nsuppress gen_id 1, sig_id 653\n#This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines. \nsuppress gen_id 1, sig_id 1390\n#This event is generated when an attempt is made to return to a web client a file with a Class ID (CLSID) embedded in the file.\nsuppress gen_id 1, sig_id 8375\n#This event is generated when network traffic that indicates download of executable content is being used.\nsuppress gen_id 1, sig_id 11192\n#This event is generated when an attempt is made to exploit a known vulnerability in Safari.\nsuppress gen_id 1, sig_id 12286\n#This event is generated when an attempt is made to exploit a known vulnerability in an ActiveX control.\nsuppress gen_id 1, sig_id 15147\n#This rule generates events when a portable executable file is downloaded.\nsuppress gen_id 1, sig_id 15306\n#This event is generated when obfuscated javascript containing excessive fromCharCode is detected.\nsuppress gen_id 1, sig_id 15362\n#FILE-IDENTIFY download of executable content - x-header  -&gt; stops windows download\nsuppress gen_id 1, sig_id 16313\n#WEB-CLIENT Microsoft Internet Explorer userdata behavior memory corruption attempt\nsuppress gen_id 1, sig_id 16482\n#This event is generated when an attempt is made to exploit a known vulnerability in internet security.\nsuppress gen_id 1, sig_id 17458\n#This event is generated when an attempt is made to exploit a known vulnerability in firefox.\nsuppress gen_id 1, sig_id 20583\n#This event is generated when an attempt is made to exploit a known vulnerability in adobe air.\nsuppress gen_id 1, sig_id 23098\n#FILE-IDENTIFY Armadillo v1.71 packer file magic detected\nsuppress gen_id 1, sig_id 23256\n#This event is generated when an attempt is made to exploit a known vulnerability in adobe air.\nsuppress gen_id 1, sig_id 24889\n#ET P2P? BitTorrent? peer sync\nsuppress gen_id 1, sig_id 2000334\n#ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)\nsuppress gen_id 1, sig_id 2010516\n#ET SHELLCODE Possible Call with No Offset TCP Shellcode\nsuppress gen_id 1, sig_id 2012088\n#ET SHELLCODE Excessive Use of HeapLib? Objects Likely Malicious Heap Spray Attempt\nsuppress gen_id 1, sig_id 2013222\n#ET INFO Packed Executable Download\nsuppress gen_id 1, sig_id 2014819\n#ET INFO EXE - Served Attached HTTP\nsuppress gen_id 1, sig_id 2014520\n#GPL SHELLCODE x86 inc ebx NOOP\nsuppress gen_id 1, sig_id 2101390\n#GPL WEB_CLIENT PNG large colour depth download attempt\nsuppress gen_id 1, sig_id 2103134\n#ET POLICY PE EXE or DLL Windows file download\nsuppress gen_id 1, sig_id 2000419\n#ET POLICY Unusual number of DNS No Such Name Responses\nsuppress gen_id 1, sig_id 2003195\n#ET POLICY Suspicious inbound to MSSQL port 1433\nsuppress gen_id 1, sig_id 2010935\n#ET POLICY Suspicious inbound to mySQL port 3306\nsuppress gen_id 1, sig_id 2010937\n#ET SHELLCODE Possible Call with No Offset TCP Shellcode\nsuppress gen_id 1, sig_id 2012086\n#ET SHELLCODE Possible Call with No Offset UDP Shellcode\nsuppress gen_id 1, sig_id 2012087\n#ET SHELLCODE Possible Call with No Offset UDP Shellcode\nsuppress gen_id 1, sig_id 2012089\n#ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active\nsuppress gen_id 1, sig_id 2012141\n#ET POLICY Executable served from Amazon S3\nsuppress gen_id 1, sig_id 2013414\n#ET POLICY Outdated Windows Flash Version IE\nsuppress gen_id 1, sig_id 2014726\n#ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management\nsuppress gen_id 1, sig_id 2013504\n#BLEEDING-EDGE RBN Known Russian Business Network Traffic - Known Trojan C&amp;Cs (bleeding-rbn.rules)\nsuppress gen_id 1, sig_id 2406003\n#ET RBN Known Russian Business Network Monitored Domains\nsuppress gen_id 1, sig_id 2406067\n#ET RBN Known Russian Business Network Monitored Domains\nsuppress gen_id 1, sig_id 2406069\n#ET TFTP Outbound TFTP Read Request -- VONAGE\nsuppress gen_id 1, sig_id 2008120\n#ET SHELLCODE Common 0a0a0a0a Heap Spray String\nsuppress gen_id 1, sig_id 2012252\n#ET INFO DYNAMIC_DNS Query to *.dyndns. Domain\nsuppress gen_id 1, sig_id 2012758\n#ET INFO EXE - OSX Disk Image Download\nsuppress gen_id 1, sig_id 2014518\n#ET INFO PDF Using CCITTFax Filter\nsuppress gen_id 1, sig_id 2015561\n#GPL ICMP_INFO PING *NIX\nsuppress gen_id 1, sig_id 2100366\n#GPL ICMP_INFO\nsuppress gen_id 1, sig_id 2100368\n#GPL SHELLCODE x86 stealth NOOP\nsuppress gen_id 1, sig_id 2100651\n#GPL SHELLCODE x86 0xEB0C NOOP\nsuppress gen_id 1, sig_id 2101424\n#GPL SHELLCODE x86 0x90 NOOP unicode\nsuppress gen_id 1, sig_id 2102314\n#WEB-CLIENT libpng malformed chunk denial of service attempt\nsuppress gen_id 3, sig_id 14772\n#(http_inspect) DOUBLE DECODING ATTACK\nsuppress gen_id 119, sig_id 2\n#(http_inspect) BARE BYTE UNICODE ENCODING\nsuppress gen_id 119, sig_id 4\n#(http_inspect) IIS UNICODE CODEPOINT ENCODING\nsuppress gen_id 119, sig_id 7\n#(http_inspect) NON-RFC DEFINED CHAR [**]\nsuppress gen_id 119, sig_id 14\n#(http_inspect) UNKNOWN METHOD\nsuppress gen_id 119, sig_id 31\n#(http_inspect) SIMPLE REQUEST\nsuppress gen_id 119, sig_id 32\n#(http_inspect) UNESCAPED SPACE IN HTTP URI\nsuppress gen_id 119, sig_id 33\n#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE\nsuppress gen_id 120, sig_id 2\n#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE\nsuppress gen_id 120, sig_id 3\n#(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE\nsuppress gen_id 120, sig_id 4\n#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED\nsuppress gen_id 120, sig_id 6\n#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE\nsuppress gen_id 120, sig_id 8\n#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1\nsuppress gen_id 120, sig_id 9\n#(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED\nsuppress gen_id 120, sig_id 10\n#(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA\nsuppress gen_id 120, sig_id 11\n#(portscan) UDP PORTSWEEP\nsuppress gen_id 122, sig_id 19\n#(portscan) UDP Filtered Portscan\nsuppress gen_id 122, sig_id 21\n#(portscan) UDP Filtered Decoy Portscan\nsuppress gen_id 122, sig_id 22\n#(portscan) UDP PORTSWEEP FILTERED\nsuppress gen_id 122, sig_id 23\n#(portscan) ICMP PORTSWEEP FILTERED\nsuppress gen_id 122, sig_id 26\n#(spp_frag3) Bogus fragmentation packet. Possible BSD attack\nsuppress gen_id 123, sig_id 10\n#(smtp) Attempted response buffer overflow: 1448 chars\nsuppress gen_id 124, sig_id 3\n#(ftp_telnet) Invalid FTP Command\nsuppress gen_id 125, sig_id 2\n#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected\nsuppress gen_id 137, sig_id 1\n##SENSITIVE DATA DISABLE##\n#Credit Card Numbers\nsuppress gen_id 138, sig_id 2\n#U.S. Social Security Numbers (with dashes)\nsuppress gen_id 138, sig_id 3\n#U.S. Social Security Numbers (w\/out dashes)\nsuppress gen_id 138, sig_id 4\n#Email Addresses\nsuppress gen_id 138, sig_id 5\n#U.S. Phone Numbers\nsuppress gen_id 138, sig_id 6\n#(spp_sip) Empty request URI\nsuppress gen_id 140, sig_id 2\n#(spp_sip) URI is too long\nsuppress gen_id 140, sig_id 3\n#(spp_sip) Maximum dialogs within a session reached\nsuppress gen_id 140, sig_id 27\n#(IMAP) Unknown IMAP4 command\nsuppress gen_id 141, sig_id 1\n#(IMAP) Unknown IMAP4 response\nsuppress gen_id 141, sig_id 2\n###\n#ET POLICY PE EXE or DLL Windows file download HTTP\nsuppress gen_id 1, sig_id 2018959\n#ET POLICY HTTP traffic on port 443 (POST)\nsuppress gen_id 1, sig_id 2013926\n#ET POLICY Data POST to an image file (gif)\nsuppress gen_id 1, sig_id 2010066\n#ET INFO Session Traversal Utilities for NAT (STUN Binding Response)\nsuppress gen_id 1, sig_id 2016150\n#ET INFO Session Traversal Utilities for NAT (STUN Binding Request)\nsuppress gen_id 1, sig_id 2016149\n#ET POLICY Dropbox.com Offsite File Backup in Use\nsuppress gen_id 1, sig_id 2012647\n#ET POLICY Logmein.com\/Join.me SSL Remote Control Access\nsuppress gen_id 1, sig_id 2014756\n#ET POLICY Pandora Usage\nsuppress gen_id 1, sig_id 2014997\n#ET POLICY iTunes User Agent\nsuppress gen_id 1, sig_id 2002878\n#ET POLICY Windows-Based OpenSSL Tunnel Outbound\nsuppress gen_id 1, sig_id 2012078\n#ET POLICY Executable and linking format (ELF) file download\nsuppress gen_id 1, sig_id 2000418\n#ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)\nsuppress gen_id 1, sig_id 2009801\n#ET POLICY TeamViewer Dyngate User-Agent\nsuppress gen_id 1, sig_id 2009475\n#ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection\nsuppress gen_id 1, sig_id 2009020\n#ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection\nsuppress gen_id 1, sig_id 2008989\n#ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection\nsuppress gen_id 1, sig_id 2008988\n#ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection\nsuppress gen_id 1, sig_id 2008987\n#ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection\nsuppress gen_id 1, sig_id 2008986\n#ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection\nsuppress gen_id 1, sig_id 2008985\n#ET POLICY Logmein.com Host List Download\nsuppress gen_id 1, sig_id 2007765\n#ET POLICY Logmein.com Update Activity\nsuppress gen_id 1, sig_id 2007766\n#ET POLICY Microsoft TEREDO IPv6 tunneling\nsuppress gen_id 1, sig_id 2003155\n#ET POLICY Netflix On-demand User-Agent\nsuppress gen_id 1, sig_id 2007638\n#ET POLICY TeamViewer Keep-alive outbound\nsuppress gen_id 1, sig_id 2008794\n#ET POLICY TeamViewer Keep-alive inbound\nsuppress gen_id 1, sig_id 2008795\n#APP-DETECT TeamViewer remote administration tool outbound connection attempt\nsuppress gen_id 1, sig_id 34463\n#ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use\nsuppress gen_id 1, sig_id 2020565\n#ET INFO JAVA - ClassID\nsuppress gen_id 1, sig_id 2016360\n#ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain\nsuppress gen_id 1, sig_id 2013097\n#ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download\nsuppress gen_id 1, sig_id 2016538\n#ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x)\nsuppress gen_id 1, sig_id 2011704\n#ET POLICY Unsupported\/Fake Internet Explorer Version MSIE 5.\nsuppress gen_id 1, sig_id 2016870\n#ET POLICY Vulnerable Java Version 1.6.x Detected\nsuppress gen_id 1, sig_id 2011582\n#ET POLICY Vulnerable Java Version 1.8.x Detected\nsuppress gen_id 1, sig_id 2019401\n#ET MALWARE Adware.iBryte.B Install\nsuppress gen_id 1, sig_id 2018194\n#ET POLICY HTTP traffic on port 443 (HEAD)\nsuppress gen_id 1, sig_id 2013927\n#ET POLICY Possible IP Check api.ipify.org\nsuppress gen_id 1, sig_id 2019512\n#ET POLICY BingBar ToolBar User-Agent (BingBar)\nsuppress gen_id 1, sig_id 2013715\n#ET POLICY User-Agent (Launcher)\nsuppress gen_id 1, sig_id 2010645\n#ET INFO JAVA - document.createElement applet\nsuppress gen_id 1, sig_id 2015707\n\n##OPTIONAL RULES BELOW##\n##UNCOMMENT SUPPRESS LINE TO ENABLE##\n\n#(ftp_telnet) FTP bounce attempt\n#suppress gen_id 125, sig_id 8\n#ET TOR Known Tor Relay\/Router (Not Exit) Node UDP Traffic group 647\n#suppress gen_id 1, sig_id 2523293\n#ET TOR Known Tor Exit Node UDP Traffic group 89\n#suppress gen_id 1, sig_id 2520177\n#ET TOR Known Tor Relay\/Router (Not Exit) Node UDP Traffic group 89\n#suppress gen_id 1, sig_id 2522177\n#ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy\n#suppress gen_id 1, sig_id 2014703\n#ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set - Likely Kazy\n#suppress gen_id 1, sig_id 2014702\n#FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt\n#suppress gen_id 1, sig_id 25459\n#ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)\n#suppress gen_id 1, sig_id 2010525\n#ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack\n#suppress gen_id 1, sig_id 2019416\n#ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System\n#suppress gen_id 1, sig_id 2007695\n#ET SCAN Potential SSH Scan OUTBOUND\n#suppress gen_id 1, sig_id 2003068\n#ET MALWARE W32\/OpenCandy Adware Checkin\n#suppress gen_id 1, sig_id 2014122\n#ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com\n#suppress gen_id 1, sig_id 2015633\n#ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com\n#suppress gen_id 1, sig_id 2015634\n#ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain\n#suppress gen_id 1, sig_id 2013744\n#ET INFO DYNAMIC_DNS HTTP Request to a dns-stuff.com Domain *.dns-stuff.com\n#suppress gen_id 1, sig_id 2014867\n#ET INFO DYNAMIC_DNS Query to dns-stuff.com Domain *.dns-stuff.com\n#suppress gen_id 1, sig_id 2014868\n<\/pre>\n<div class=\"breadcrumb js-zeroclipboard-target\">&nbsp;<\/div>\n<\/div>\n<p><a href=\"http:\/\/manual-snort-org.s3-website-us-east-1.amazonaws.com\/node19.html\" target=\"_blank\" rel=\"noopener noreferrer\">Credits <\/a><\/p>\n<p><a href=\"https:\/\/pastebin.com\/DWs27SPX\" target=\"_blank\" rel=\"noopener noreferrer\">Suppress List<\/a> |&nbsp;<a href=\"https:\/\/github.com\/cristianmenghi\/pfsense-snort\/blob\/master\/Snort%20master%20suppress%20list\" style=\"font-size: 13.008px\" target=\"_blank\" rel=\"noopener noreferrer\">Suppress List<\/a><span style=\"font-size: 13.008px\"> |&nbsp;<\/span><a href=\"https:\/\/forum.pfsense.org\/index.php?topic=56267.0\" style=\"font-size: 13.008px\" target=\"_blank\" rel=\"noopener noreferrer\">Suppress List<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Thresholding: This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be&nbsp;used to write a newer breed of rules. Thresholding commands limit the &hellip; <a href=\"https:\/\/blog.ffteixeira.net\/?p=188\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-188","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=\/wp\/v2\/posts\/188","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=188"}],"version-history":[{"count":0,"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=\/wp\/v2\/posts\/188\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ffteixeira.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}