Help With Disabling Snort ID
666 views
Skip to first unread message
Aaron Ryan
Feb 12, 2016, 1:31:51 PM2/12/16
to security-onion
I have a new install of Security Onion 14.04.3 and I'm having the hardest time trying to figure out how to disable the rule that is generating the following events:
2016 Feb 12 18:21:58 snort [120:3:1] http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3]: {TCP} x.x.x.x:80 -> 218.32.53.183:38706
2016 Feb 12 18:21:58 snort [120:3:1] http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3]: {TCP} x.x.x.x:80 -> 113.196.76.36:57628
2016 Feb 12 18:21:58 snort [120:3:1] http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3]: {TCP} x.x.x.x:80 -> 218.32.53.183:38706
I have updated the file at /etc/nsm/pulledpork/disablesid.conf
with:
1:3
3:120
120:3
1:120
120:1
and then ran
sudo /usr/bin/rule-update
But the rule keeps generating events. I may be using the wrong sig ID.
Can you help?
-Aaron
2016 Feb 12 18:21:58 snort [120:3:1] http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3]: {TCP} x.x.x.x:80 -> 218.32.53.183:38706
2016 Feb 12 18:21:58 snort [120:3:1] http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3]: {TCP} x.x.x.x:80 -> 113.196.76.36:57628
2016 Feb 12 18:21:58 snort [120:3:1] http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3]: {TCP} x.x.x.x:80 -> 218.32.53.183:38706
I have updated the file at /etc/nsm/pulledpork/disablesid.conf
with:
1:3
3:120
120:3
1:120
120:1
and then ran
sudo /usr/bin/rule-update
But the rule keeps generating events. I may be using the wrong sig ID.
Can you help?
-Aaron
Aaron Ryan
Feb 12, 2016, 2:17:55 PM2/12/16
to security-onion
and adding "suppress gen_id 120, sig_id 3"
but it's still generating events.
Doug Burks
Feb 12, 2016, 2:25:11 PM2/12/16
to securit...@googlegroups.com
Hi Aaron,
Is it possible you're seeing a backlog of old events?
Let's try this:
# stop all services
sudo service nsm stop
# delete all existing alerts
sudo rm /nsm/sensor_data/*/snort-*/snort.unified2*
# start sguild only
sudo nsm_server_ps-start
# log into Sguil, select each of your existing "http_inspect: NO
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE" alerts and
press F8 to remove them from the RealTime queue
# start sensor processes
sudo nsm_sensor_ps-start
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Is it possible you're seeing a backlog of old events?
Let's try this:
# stop all services
sudo service nsm stop
# delete all existing alerts
sudo rm /nsm/sensor_data/*/snort-*/snort.unified2*
# start sguild only
sudo nsm_server_ps-start
# log into Sguil, select each of your existing "http_inspect: NO
CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE" alerts and
press F8 to remove them from the RealTime queue
# start sensor processes
sudo nsm_sensor_ps-start
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Reply all
Reply to author
Forward
0 new messages