Suppress and Pass Rules don't seem to be working.

[Stanek Tool]

I'm trying to suppress the "PROTOCOL-DNS TMG Firewall client long host exploit" rule on my Security Onion server. I've added a suppression to my threshold.conf file.

suppress gen_id 1, sig_id 19187

and two pass rules to my local.rules file.

pass udp <my DNS Server> 53 -> 10.0.1.0/24 any (sig:9000026)
pass tcp <my DNS Server> 53 -> 10.0.1.0/24 any (sig:9000026)

I then ran "sudo rule-update"

For some reason the rule is still triggering alerts. I know I'm using the correct threshold.conf and local.rules file because other suppressions and pass rules are working fine. Does anyone have any idea why this one rule refuses to obey the suppression?

Thanks

-Craig

[Doug Burks]

On Wed, Feb 11, 2015 at 3:44 PM, Stanek Tool <stane...@gmail.com> wrote:
> I'm trying to suppress the "PROTOCOL-DNS TMG Firewall client long host exploit" rule on my Security Onion server. I've added a suppression to my threshold.conf file.
>
> suppress gen_id 1, sig_id 19187

Hi Craig,

Have you tried changing "gen_id 1" to "gen_id 3"?


--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Stanek Tool]

>
> Hi Craig,
>
> Have you tried changing "gen_id 1" to "gen_id 3"?

Trying now. Now that I've looked at the actual rule I see generator ID 3. Why does Snorby show the generator ID as 1 instead of 3?