The pfSense Store

Author Topic: Snort master Suppress List  (Read 49302 times)

0 Members and 1 Guest are viewing this topic.

Offline Asterix

  • Hero Member
  • *****
  • Posts: 875
  • Karma: +29/-0
    • View Profile
Snort master Suppress List
« on: November 28, 2012, 08:01:45 pm »
Just wanted to share my Snort suppress list. After months of being frustrated with many false positives and snort ultimately blocking them, I have carefully put up this list. A few of them I got from other forum posts like the sensitive data section, so its a mix of everything. I have turned on all categories and now rarely get a false positive (though I do find some once every other week). This is in no ways a perfect list but for me Snort is now less of an annoyance. You might identify some as required and not supposed to be on this list. Please let me know and I will ensure this list gets updated and has the right false positives that can be safely ignored.


suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 648
suppress gen_id 1, sig_id 8375
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 12286
suppress gen_id 1, sig_id 15147
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 15362
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 2012088
suppress gen_id 1, sig_id 2013222
suppress gen_id 1, sig_id 2014819
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2500056
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 14
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 120, sig_id 2
suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 4
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 120, sig_id 9
suppress gen_id 122, sig_id 19
suppress gen_id 122, sig_id 21
suppress gen_id 122, sig_id 22
suppress gen_id 122, sig_id 23
suppress gen_id 122, sig_id 26
suppress gen_id 137, sig_id 1
# Sensitive Data disable
# Credit Card Numbers
suppress gen_id 138, sig_id 2
# U.S. Social Security Numbers (with dashes)
suppress gen_id 138, sig_id 3
# U.S. Social Security Numbers (w/out dashes)
suppress gen_id 138, sig_id 4
# Email Addresses
suppress gen_id 138, sig_id 5
# U.S. Phone Numbers
suppress gen_id 138, sig_id 6
« Last Edit: June 14, 2015, 11:53:04 am by dvserg »

Offline mr.rabbit

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Snort master Suppress List
« Reply #1 on: November 29, 2012, 08:00:39 pm »
 :D

Dude this is awesome, I just started using snort, on study purposes, before trying to gather some money with it... And I was getting a hard time with all those false-positives.
But now that I know what's going on, and how to debug it, I'm feeling more confident.

Offline Asterix

  • Hero Member
  • *****
  • Posts: 875
  • Karma: +29/-0
    • View Profile
Re: Snort master Suppress List
« Reply #2 on: December 01, 2012, 06:27:12 pm »
Your most welcome.

New addition.

suppress gen_id 1, sig_id 16313

Offline Treffin

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: Snort master Suppress List
« Reply #3 on: December 02, 2012, 02:59:33 am »
Here is what I've compiled so far, added to your list.  I run an ALL unix/BSD/OSX network here with only a single Microsoft OS machine on the network.  (It's the token Winblows machine just in case I need to remember what EPIC FAILURE looks like.)  Therefore if you are running Windows you may not want to suppress a few of these.  I've left some of the documentation lines in-tact to help with identification.  All alerts that were triggered by the rules in this set were verified as false positives.  However you are advised to suppress at your own risk, as your alerts might be real. :-)

# gen_id_1
suppress gen_id 1, sig_id 536
#"GPL SHELLCODE x86 NOOP"
suppress gen_id 1, sig_id 648
#GPL SHELLCODE x86 0x90 unicode NOOP
suppress gen_id 1, sig_id 653
# This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines.
suppress gen_id 1, sig_id 1390
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 8375
# FILE-IDENTIFY download of executable content -> stops file downloads
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 12286
suppress gen_id 1, sig_id 15147
# This event indicates that a portable executable file has been downloaded.
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 15362
# FILE-IDENTIFY download of executable content - x-header  -> stops windows download
suppress gen_id 1, sig_id 16313
#WEB-CLIENT Microsoft Internet Explorer userdata behavior memory corruption attempt
suppress gen_id 1, sig_id 16482
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 23098
suppress gen_id 1, sig_id 2000334
#"ET TFTP Outbound TFTP Read Request" -- VONAGE
suppress gen_id 1, sig_id 2008120
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 2012088
#ET SHELLCODE Common 0a0a0a0a Heap Spray String
suppress gen_id 1, sig_id 2012252
suppress gen_id 1, sig_id 2012758
suppress gen_id 1, sig_id 2013222
#ET INFO EXE - OSX Disk Image Download
suppress gen_id 1, sig_id 2014518
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2014819
#ET INFO PDF Using CCITTFax Filter
suppress gen_id 1, sig_id 2015561
suppress gen_id 1, sig_id 2100366
suppress gen_id 1, sig_id 2100368
#GPL SHELLCODE x86 stealth NOOP
suppress gen_id 1, sig_id 2100651
suppress gen_id 1, sig_id 2101390
#GPL SHELLCODE x86 0xEB0C NOOP
suppress gen_id 1, sig_id 2101424
suppress gen_id 1, sig_id 2102314
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2500056
suppress gen_id 1, sig_id 100000230
#
#WEB-CLIENT libpng malformed chunk denial of service attempt
suppress gen_id 3, sig_id 14772
#
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
#(http_inspect) NON-RFC DEFINED CHAR
suppress gen_id 119, sig_id 14
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
#
# HTTP Inspect Errors
suppress gen_id 120, sig_id 2
suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 4
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 120, sig_id 9
suppress gen_id 120, sig_id 10
#
suppress gen_id 122, sig_id 19
suppress gen_id 122, sig_id 21
suppress gen_id 122, sig_id 22
suppress gen_id 122, sig_id 23
suppress gen_id 122, sig_id 26
#
#(spp_frag3) Bogus fragmentation packet. Possible BSD attack
suppress gen_id 123, sig_id 10
#
suppress gen_id 137, sig_id 1
# Sensitive Data disable
# Credit Card Numbers
suppress gen_id 138, sig_id 2
# U.S. Social Security Numbers (with dashes)
suppress gen_id 138, sig_id 3
# U.S. Social Security Numbers (w/out dashes)
suppress gen_id 138, sig_id 4
# Email Addresses
suppress gen_id 138, sig_id 5
# U.S. Phone Numbers
suppress gen_id 138, sig_id 6

==========
Hope this helps someone out there.

David

Offline Asterix

  • Hero Member
  • *****
  • Posts: 875
  • Karma: +29/-0
    • View Profile
Re: Snort master Suppress List
« Reply #4 on: December 04, 2012, 12:29:53 am »
Adding this to the list :-)

#FILE-IDENTIFY Armadillo v1.71 packer file magic detected
suppress gen_id 1, sig_id 23256

Offline xbaldx

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: Snort master Suppress List
« Reply #5 on: December 10, 2012, 01:05:52 pm »
Thanks for posting the list.  Really helpful.

Offline Asterix

  • Hero Member
  • *****
  • Posts: 875
  • Karma: +29/-0
    • View Profile
Re: Snort master Suppress List
« Reply #6 on: December 16, 2012, 09:34:33 pm »
2 more..


#GPL WEB_CLIENT Windows Media Player directory traversal via Content-Disposition attempt
suppress gen_id 1, sig_id 2103192
#ET SHELLCODE Possible Call with No Offset TCP Shellcode
suppress gen_id 1, sig_id 2012086

Offline Asterix

  • Hero Member
  • *****
  • Posts: 875
  • Karma: +29/-0
    • View Profile
Re: Snort master Suppress List
« Reply #7 on: August 04, 2013, 02:13:34 pm »
I now have a pretty solid suppress list. Have tested it for a good 8 months.

suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 648
suppress gen_id 1, sig_id 653
suppress gen_id 1, sig_id 1390
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 8375
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 12286
suppress gen_id 1, sig_id 15147
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 15362
suppress gen_id 1, sig_id 16313
suppress gen_id 1, sig_id 16482
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 23098
suppress gen_id 1, sig_id 23256
suppress gen_id 1, sig_id 24889
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2000419
suppress gen_id 1, sig_id 2003195
suppress gen_id 1, sig_id 2008120
suppress gen_id 1, sig_id 2008578
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 2010935
suppress gen_id 1, sig_id 2010937
suppress gen_id 1, sig_id 2011716
suppress gen_id 1, sig_id 2012086
suppress gen_id 1, sig_id 2012088
suppress gen_id 1, sig_id 2012141
suppress gen_id 1, sig_id 2012252
suppress gen_id 1, sig_id 2012758
suppress gen_id 1, sig_id 2013222
suppress gen_id 1, sig_id 2013414
suppress gen_id 1, sig_id 2014518
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2014726
suppress gen_id 1, sig_id 2014819
suppress gen_id 1, sig_id 2015561
suppress gen_id 1, sig_id 2100366
suppress gen_id 1, sig_id 2100368
suppress gen_id 1, sig_id 2100651
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2101424
suppress gen_id 1, sig_id 2102314
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2103192
suppress gen_id 1, sig_id 2013504
suppress gen_id 1, sig_id 2406003
suppress gen_id 1, sig_id 2406067
suppress gen_id 1, sig_id 2406069
suppress gen_id 1, sig_id 2406424
suppress gen_id 1, sig_id 2500056
suppress gen_id 1, sig_id 100000230
suppress gen_id 3, sig_id 14772
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2
#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4
#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7
#(http_inspect) NON-RFC DEFINED CHAR [**]
suppress gen_id 119, sig_id 14
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 2
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
#(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
suppress gen_id 120, sig_id 4
#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6
#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
suppress gen_id 120, sig_id 9
# Unknown
suppress gen_id 120, sig_id 10
suppress gen_id 122, sig_id 19
suppress gen_id 122, sig_id 21
suppress gen_id 122, sig_id 22
suppress gen_id 122, sig_id 23
suppress gen_id 122, sig_id 26
#(spp_frag3) Bogus fragmentation packet. Possible BSD attack
suppress gen_id 123, sig_id 10
#(smtp) Attempted response buffer overflow: 1448 chars
suppress gen_id 124, sig_id 3
#(ftp_telnet) Invalid FTP Command
suppress gen_id 125, sig_id 2
#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1
# Credit Card Numbers
suppress gen_id 138, sig_id 2
# U.S. Social Security Numbers (with dashes)
suppress gen_id 138, sig_id 3
# U.S. Social Security Numbers (w/out dashes)
suppress gen_id 138, sig_id 4
# Email Addresses
suppress gen_id 138, sig_id 5
# U.S. Phone Numbers
suppress gen_id 138, sig_id 6
#(spp_sip) Maximum dialogs within a session reached
suppress gen_id 140, sig_id 27
#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1

Offline jflsakfja

  • Sr. Member
  • ****
  • Posts: 519
  • Karma: +70/-6
  • I don't know everything. I just RTFM.
    • View Profile
    • Need web hosting? Server management? Network Security?
This post is my personal view and does not represent the view of my employer.

Demetris Demetriou aka jflsakfja

“well, it depends, if I’m in the mood, perhaps, now STFU, you didn’t pay for it, did you?” - A brother in arms.

Offline Asterix

  • Hero Member
  • *****
  • Posts: 875
  • Karma: +29/-0
    • View Profile
Re: Snort master Suppress List
« Reply #9 on: August 07, 2013, 04:52:35 pm »
Being a bit frank here..

I understand what you are trying to do about saving CPU cycles.. but look at my list.. do you think going in and changing rules for the entire list is really that efficient? Maybe for an Atom or old Celeron based CPU.. but in my view doing this is just waste of time. Processing that list of suppression is not that CPU intensive and honestly a waste of time to go in and change rulesets while setting up pfSense.. especially when you rebuild your box frequently.

Its not thousands of suppressions .. not even hundreds..

Offline jflsakfja

  • Sr. Member
  • ****
  • Posts: 519
  • Karma: +70/-6
  • I don't know everything. I just RTFM.
    • View Profile
    • Need web hosting? Server management? Network Security?
Re: Snort master Suppress List
« Reply #10 on: August 13, 2013, 03:18:53 am »
Being a bit frank here..
Everything looks like a nail when all you have is a hammer.

I stated the correct way of making sure snort is under control. Disable a rule, if you cannot find it (one of the preprocessor rules) use suppression.

Disclaimer: This is not a personal attack and should not be considered as such. This is my personal opinion and does not necessarily reflect the view of the company I work for, nor any of my colleagues. You are hereby granted the right to use this opinion as you see fit, provided that you do not change and/or modify and/or alter it in any way and/or shape and/or form, including but not limited to removing this disclaimer.


Maybe for a home network a 1ms latency does not matter. Then again, my opinion is not based on a home network.
This post is my personal view and does not represent the view of my employer.

Demetris Demetriou aka jflsakfja

“well, it depends, if I’m in the mood, perhaps, now STFU, you didn’t pay for it, did you?” - A brother in arms.

Offline Asterix

  • Hero Member
  • *****
  • Posts: 875
  • Karma: +29/-0
    • View Profile
Re: Snort master Suppress List
« Reply #11 on: August 15, 2013, 10:40:45 pm »
Even for an enterprise network this procedure impractical for saving 1ms...  15-20ms maybe. But that can be solved easily with faster CPU.

If u have a hammer don't go hunting for nails just for the sake of using it.
« Last Edit: August 15, 2013, 10:42:24 pm by asterix »

Offline jflsakfja

  • Sr. Member
  • ****
  • Posts: 519
  • Karma: +70/-6
  • I don't know everything. I just RTFM.
    • View Profile
    • Need web hosting? Server management? Network Security?
Re: Snort master Suppress List
« Reply #12 on: August 16, 2013, 06:19:04 pm »
I thought this was bsd and not linux? I mean everyone working together instead of against each other? (Comment for all random people reading this:I will never retract that statement, even on my deathbed. Deal with it)

There are a lot more people out there using older boxes to run pfsense and snort. I'm using a couple of P4s for an enterprise network. Why? Because the brand new 5 year warranty PSU in one of them blew up and the box still works, and it costs 2 times as much as a single box (box does not include PSU). Just making sure I'm not misunderstood here, the motherboards in them are brand new supermicros and cost 35EUR. Did I mention that it was behind a datacenter grade UPS?

There are certainly a LOT more people out there using Atom boxes. Atoms can be thought like P4s. On prescription medicine, so they work a bit faster, but still they are weak and need to recover from that illness they have before they work a bit faster. Don't get me wrong, they saturate most connections easily.

There is a small, I'll go ahead and name it 0.1%, of the whole of pfsense ecosystem that is using E3s. And a 0.1% of that 0.1% has access to a >500Mbit connection to put those boxes under any serious stress (yes I know speed is not the limit, it's packets, but this is not a court of law so stop using everything I say against me). I'm still talking about pfsense+snort btw.
My point? exit through the door, and not through the window, because it's the proper way to exit. It might take a couple of steps longer, but everyone will not think you are mad.

And now I have to prove my point, which I always hate to do. Since it has already hit the fan, you are already in the snort alerts tab looking to disable/suppress a rule. It takes 5 secs to click on an alert to auto suppress it,1 sec to click on interfaces and depending on the rules active, 15 seconds to restart an interface. Mine take a minute, but I've been known to break snort's pages by having too many rules enabled. Back in alerts.1 sec to figure out where a rule is, 1 sec to click on Interfaces, 2 secs to get to the edit page, and 1 sec to get to the rule page. That's where my method is screwed. It takes 5 whole seconds to render the GPL rules (since that's the starting rule page). Lets disable a rule. It takes 20 secs to disable a rule, apply changes, click interface tab, restart interface (again depends on how many rules you have active).
Lets sum it up: 21 secs to autosuppress a rule. 30 secs to disable a rule. So far looks like you win. But I always save up an ace just in case. My method makes sure that if someone screws up a rule, snort will start when it autoupdates.

My final statement: Always disable rules. If you can't find a rule, then suppress it. It might take longer/be a bit trickier, but it's still nothing compared to 16 hours daily monitoring boxes. Learn to do something the right way from the start and be done with it.

PS.
Re-reading my post (bad habit, I know, I'm planning to quit any time now) makes me sound like a crazy-haired/raving/demented scientist locked up in a basement somewhere. I'm just trying to get everyone to follow the correct way. The way of the Lo... oh wait  ;D
If you find it easier to suppress rules, go ahead and suppress them. The difference in speed yes it's too small, but there are other downsides to suppressing a rule as mentioned above. Most of the times you will not notice anything and everyone will be happy. Except me. I'll still think anyone that suppresses before disabling is jumping out the window.  :D

P-PS
I WILL NOT retract my linux statement. I am a linux user though, for full disclosure.
This post is my personal view and does not represent the view of my employer.

Demetris Demetriou aka jflsakfja

“well, it depends, if I’m in the mood, perhaps, now STFU, you didn’t pay for it, did you?” - A brother in arms.

Offline Asterix

  • Hero Member
  • *****
  • Posts: 875
  • Karma: +29/-0
    • View Profile
Re: Snort master Suppress List
« Reply #13 on: August 22, 2013, 09:37:04 am »
If someone is using Atoms or P4s then they shouldn't be running Snort on that box.. period.

For me .. I still go by suppression list as its quicker and I like to make use of my CPU rather then letting it sit idle and just consume power... :P

Offline Cino

  • Hero Member
  • *****
  • Posts: 1515
  • Karma: +60/-2
    • View Profile
Re: Snort master Suppress List
« Reply #14 on: August 22, 2013, 08:36:03 pm »
I'm running an atom, 4 snort sensors(using different suppression list) , squid3, traffic shaping, 2 openvpn connections. Everything runs great thru my 30mbit WAN.