What is Suppressing in Snort? And how to use it (Basic Tutorial)

Suppression allows an administrator to control how many alerts are generated from (or to) a given host or for a particular signature. 
What does it do exactly?
Suppression prevents rules from firing on a specific network segment without removing the rules from the ruleset. By using suppression, ruleset can be quickly turned for a specific environment without disabling rules that maybe useful in general.
How it works?
Assuming that you want to download an executable file/content from any website. If you have ticked all the rules in snort for your wan connection, Snort will alert this and block it in case you have the block option enabled as well. You will get something similar to this alert in the alert tab.
clip_image001

And in Block tab, You will get something like this :
clip_image002
This is a website that I visited “cyberduck.ch” to download a FTP application but snort alerted and blocked the download host IP which is “c315635.r35.cf1.rackcdn.com”
Now By adding a suppression line to snort suppression tab, the rule sid:16313 which happens to be a “download of executable content with x head”, will not fire again in the alerts tab after I add the following line to the suppression list.
clip_image003
The first line with the hash in the beginning is just a title for the rule to remind you later what it exactly does.
The gen_id 1 and sig_id will usually appear in the alert tab so in case you got some rules blocking websites which you visited and don’t want them to get blocked you can filter the alert tab and search for your rule, get the gen_id and sig_id and create the suppression line for it.
Note: adding new suppression lines won’t take effect unless you restart the interface which snort is monitoring.
clip_image004
 
Hope this was useful to you Smile 

del.icio.us Tags: ,,,,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.