Friday, 30 June 2017

Snort: Adding an exception for rules when dealing with a particular host / IP

When initially setting snort up you will likely come across one or two (or several) false positives.

For example in my case a specific server was being flagged when users were downloading a specific file from it over the network. The 'alert' being generated was consistent and so I wanted to ensure that this rule is not applied when the traffic was being sourced from this particular server.

Fortunately snort allows us to do this without having to completely disable the rule all together.

This can be applied in the 'thresholds.conf' file and is known as a 'supression.'

sudo vi /etc/snort/thresholds.conf

and adding something like:

suppress gen_id 1, sig_id 39463, track by_src, ip 10.11.12.13

and reload snort with:

sudo systemctl reload snort

0 comments:

Post a comment