How do you disable alerts being generated from a valid network scanner

546 views
Skip to first unread message

Mark Moore

unread,
Nov 4, 2013, 10:07:33 AM11/4/13
to securit...@googlegroups.com
We have a couple of Network scanners on our network. And even though we have our networks specified in the snort.conf, we still see a lot of traffic being alerted on when our scanners are hitting machines. How do we tell our Sever/Sensor to ignore any traffic from our scanners?

Thx in advance for any help given.

Doug Burks

unread,
Nov 4, 2013, 10:37:41 AM11/4/13
to securit...@googlegroups.com
Hi Mark,

If you want to ignore all traffic from a certain IP address, consider
using a BPF:
https://code.google.com/p/security-onion/wiki/BPF

Another option would be to edit threshold.conf and suppress the alerts
for the given IP:
https://code.google.com/p/security-onion/wiki/ManagingAlerts#Suppressions

On Mon, Nov 4, 2013 at 10:07 AM, Mark Moore <tornado...@gmail.com> wrote:
> We have a couple of Network scanners on our network. And even though we have our networks specified in the snort.conf, we still see a lot of traffic being alerted on when our scanners are hitting machines. How do we tell our Sever/Sensor to ignore any traffic from our scanners?
>
> Thx in advance for any help given.
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.



--
Doug Burks
http://securityonion.blogspot.com

Mark Moore

unread,
Nov 4, 2013, 11:07:07 AM11/4/13
to securit...@googlegroups.com
On Monday, November 4, 2013 10:07:33 AM UTC-5, Mark Moore wrote:
> We have a couple of Network scanners on our network. And even though we have our networks specified in the snort.conf, we still see a lot of traffic being alerted on when our scanners are hitting machines. How do we tell our Sever/Sensor to ignore any traffic from our scanners?
>
> Thx in advance for any help given.
I have the below listed in the last line of the threshold file. Is this valid or do you have to specify a gen_id and sid_id:

suppress track by_src, ip 10.1.160.245

Doug Burks

unread,
Nov 4, 2013, 11:11:44 AM11/4/13
to securit...@googlegroups.com
If you want to ignore all traffic from a certain IP address, you're
probably better off using a BPF, as it will cut down on the amount of
traffic that the sniffing process(es) have to look at, reducing CPU
usage.

Heine Lysemose

unread,
Nov 4, 2013, 1:06:06 PM11/4/13
to securit...@googlegroups.com

Hi

There are ups and downs for both suggestions. Suppressions will suppress alerts but still log the traffic.
BPF filters will ignore traffic from the scanners and not log anything.

So depending your ability to "control" your scanners from being compromised, choose the method that suits you best.

/Lysemose

Jeremy Hoel

unread,
Nov 4, 2013, 1:07:48 PM11/4/13
to securit...@googlegroups.com
In addition, doesn't the BPF effect the other tools also (network
capture specifically)?

Heine Lysemose

unread,
Nov 4, 2013, 1:15:45 PM11/4/13
to securit...@googlegroups.com

Hi Jeremy

As standard all the different types of tools have their own BPF filters which are linked to the master BPF file.
You can break the symbolic link to make it more granular.

See, https://code.google.com/p/security-onion/wiki/BPF

Regards,
Lysemose

Mark Moore

unread,
Nov 6, 2013, 7:42:07 AM11/6/13
to securit...@googlegroups.com
On Monday, November 4, 2013 10:07:33 AM UTC-5, Mark Moore wrote:
> We have a couple of Network scanners on our network. And even though we have our networks specified in the snort.conf, we still see a lot of traffic being alerted on when our scanners are hitting machines. How do we tell our Sever/Sensor to ignore any traffic from our scanners?
>
> Thx in advance for any help given.

I have looked through the examples of modifying the bpf.conf file but still have a few questions regarding adding entries. It shows how to add a host, but what about a subnet? I want to exclude traffic from all our workstations to a single server. Would the below line be valid? Or bpf.conf doesn't support specifying subnets?

And lastly, want to confirm that after each line in bpf.conf, we have to && ( or do we specify 'or' if trying to match any rules but the last line in the file should not have the &&

!(src host 192.168.x.x/24 && dst host xxx.xxx.xxx.xxx && dst port 80)

Mark Moore

unread,
Nov 6, 2013, 7:55:15 AM11/6/13
to securit...@googlegroups.com
On Monday, November 4, 2013 10:07:33 AM UTC-5, Mark Moore wrote:
> We have a couple of Network scanners on our network. And even though we have our networks specified in the snort.conf, we still see a lot of traffic being alerted on when our scanners are hitting machines. How do we tell our Sever/Sensor to ignore any traffic from our scanners?
>
> Thx in advance for any help given.

Does anyone have a good bpf.conf file sanitized that shows a lot of variations of rules that could post here would be greatly appreciated.

Thx.

Heine Lysemose

unread,
Nov 6, 2013, 8:31:40 AM11/6/13
to securit...@googlegroups.com
Hi

Replies inline.


Correct! 

!(src host 192.168.x.x/24 && dst host xxx.xxx.xxx.xxx && dst port 80)
If you follow the eaxmples from, https://code.google.com/p/security-onion/wiki/BPF it almost matches what you want.  

Also checj out this site, http://biot.com/capstats/bpf.html
--
Regards,
Lysemose

coriumintl

unread,
Nov 6, 2013, 8:35:04 AM11/6/13
to securit...@googlegroups.com
here's my BPF:

( not host ( 192.168.a.aa or 192.168.a.bb or 192.168.a.cc or 192.168.a.dd or 192.168.a.ee ) )

so above it's ignoring traffic from 2 of my nas's that are used for storing backups and my backup exec main server (a.aa, a.bb, and a.dd), a gateway to our test subnet (a.cc), and lastly the DVR for our IP cameras (a.ee)

Mark Moore

unread,
Nov 6, 2013, 9:38:41 AM11/6/13
to securit...@googlegroups.com
On Monday, November 4, 2013 10:07:33 AM UTC-5, Mark Moore wrote:
> We have a couple of Network scanners on our network. And even though we have our networks specified in the snort.conf, we still see a lot of traffic being alerted on when our scanners are hitting machines. How do we tell our Sever/Sensor to ignore any traffic from our scanners?
>
> Thx in advance for any help given.

Thanks for the responses. I think I got it now.

Reply all
Reply to author
Forward
0 new messages