How do you disable alerts being generated from a valid network scanner
Mark Moore
Thx in advance for any help given.
Doug Burks
If you want to ignore all traffic from a certain IP address, consider
using a BPF:
https://code.google.com/p/security-onion/wiki/BPF
Another option would be to edit threshold.conf and suppress the alerts
for the given IP:
https://code.google.com/p/security-onion/wiki/ManagingAlerts#Suppressions
On Mon, Nov 4, 2013 at 10:07 AM, Mark Moore <tornado...@gmail.com> wrote:
> We have a couple of Network scanners on our network. And even though we have our networks specified in the snort.conf, we still see a lot of traffic being alerted on when our scanners are hitting machines. How do we tell our Sever/Sensor to ignore any traffic from our scanners?
>
> Thx in advance for any help given.
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.blogspot.com
Mark Moore
> We have a couple of Network scanners on our network. And even though we have our networks specified in the snort.conf, we still see a lot of traffic being alerted on when our scanners are hitting machines. How do we tell our Sever/Sensor to ignore any traffic from our scanners?
>
> Thx in advance for any help given.
suppress track by_src, ip 10.1.160.245
Doug Burks
probably better off using a BPF, as it will cut down on the amount of
traffic that the sniffing process(es) have to look at, reducing CPU
usage.
Heine Lysemose
Hi
There are ups and downs for both suggestions. Suppressions will suppress alerts but still log the traffic.
BPF filters will ignore traffic from the scanners and not log anything.
So depending your ability to "control" your scanners from being compromised, choose the method that suits you best.
/Lysemose
Jeremy Hoel
capture specifically)?
Heine Lysemose
Hi Jeremy
As standard all the different types of tools have their own BPF filters which are linked to the master BPF file.
You can break the symbolic link to make it more granular.
See, https://code.google.com/p/security-onion/wiki/BPF
Regards,
Lysemose
Mark Moore
>
> Thx in advance for any help given.
I have looked through the examples of modifying the bpf.conf file but still have a few questions regarding adding entries. It shows how to add a host, but what about a subnet? I want to exclude traffic from all our workstations to a single server. Would the below line be valid? Or bpf.conf doesn't support specifying subnets?
And lastly, want to confirm that after each line in bpf.conf, we have to && ( or do we specify 'or' if trying to match any rules but the last line in the file should not have the &&
!(src host 192.168.x.x/24 && dst host xxx.xxx.xxx.xxx && dst port 80)
Mark Moore
>
> Thx in advance for any help given.
Does anyone have a good bpf.conf file sanitized that shows a lot of variations of rules that could post here would be greatly appreciated.
Thx.
Heine Lysemose
!(src host 192.168.x.x/24 && dst host xxx.xxx.xxx.xxx && dst port 80)
--
coriumintl
( not host ( 192.168.a.aa or 192.168.a.bb or 192.168.a.cc or 192.168.a.dd or 192.168.a.ee ) )
so above it's ignoring traffic from 2 of my nas's that are used for storing backups and my backup exec main server (a.aa, a.bb, and a.dd), a gateway to our test subnet (a.cc), and lastly the DVR for our IP cameras (a.ee)
Mark Moore
>
> Thx in advance for any help given.
Thanks for the responses. I think I got it now.