Differences

This shows you the differences between two versions of the page.

--- pfsense:suricata:suppress [2021/01/20 11:32] – peter
+++ pfsense:suricata:suppress [2022/07/16 21:39] (current) – 4uMXQZ <a href="http://gdkrhydmwahu.com/">gdkrhydmwahu</a>, [url=http://ocupbhvhwaef.com/]ocupbhvhwaef[/url], [link=http://cjsxuyshervu.com/]cjsxuyshervu[/link], http://tkagiwtewlnu.com/ 5.188.211.16
@@ Line 1: / Line 1: @@
-====== PFSense - Suricata - Suppress ======
+uMXQZ  <a href="http://gdkrhydmwahu.com/">gdkrhydmwahu</a>, [url=http://ocupbhvhwaef.com/]ocupbhvhwaef[/url], [link=http://cjsxuyshervu.com/]cjsxuyshervu[/link], http://tkagiwtewlnu.com/
-Create a suppress list to suppress certain snort and ET signatures to overcome False Positives.
-Recommended to only use a suppression if a rule for a particular IP if configured.
-Navigate to **Services -> Suricata -> Suppress**.
-----
-<code>
-#SURICATA STREAM ESTABLISHED packet out of window
-suppress gen_id 1, sig_id 2210020
-#SURICATA STREAM reassembly overlap with different data
-suppress gen_id 1, sig_id 2210050
-#SURICATA STREAM excessive retransmissions
-suppress gen_id 1, sig_id 2210054
-#SURICATA zero length padN option
-suppress gen_id 1, sig_id 2200094, track by_dst, ip ff02::16
-#SURICATA TCP option invalid length
-suppress gen_id 1, sig_id 2200036
-#SURICATA STREAM FIN out of window
-suppress gen_id 1, sig_id 2210038
-#SURICATA TLS invalid record version
-suppress gen_id 1, sig_id 2230015
-#ET POLICY PE EXE or DLL Windows file download HTTP
-suppress gen_id 1, sig_id 2018959
-#SURICATA STREAM Packet with invalid ack
-suppress gen_id 1, sig_id 2210045
-#SURICATA STREAM TIMEWAIT ACK with wrong seq
-suppress gen_id 1, sig_id 2210042
-#SURICATA STREAM ESTABLISHED invalid ack
-suppress gen_id 1, sig_id 2210029
-#SURICATA TLS invalid record/traffic
-suppress gen_id 1, sig_id 2230010
-#SURICATA STREAM Packet with invalid timestamp
-suppress gen_id 1, sig_id 2210044
-#SURICATA STREAM CLOSEWAIT FIN out of window
-suppress gen_id 1, sig_id 2210016
-#SURICATA TLS error message encountered
-suppress gen_id 1, sig_id 2230009
-#SURICATA STREAM Last ACK with wrong seq
-suppress gen_id 1, sig_id 2210039
-#SURICATA TLS invalid handshake message
-suppress gen_id 1, sig_id 2230003
-#SURICATA UDPv4 invalid checksum
-suppress gen_id 1, sig_id 2200075, track by_src, ip 10.13.1.1
-#SURICATA ICMPv4 invalid checksum
-suppress gen_id 1, sig_id 2200076, track by_dst, ip 10.13.1.1
-#SURICATA ICMPv4 invalid checksum
-suppress gen_id 1, sig_id 2200076, track by_src, ip 8.8.8.8
-#SURICATA ICMPv4 invalid checksum
-suppress gen_id 1, sig_id 2200076, track by_src, ip 8.8.4.4
-#SURICATA HTTP response field missing colon
-suppress gen_id 1, sig_id 2221020
-#SURICATA DNS Unsolicited response
-suppress gen_id 1, sig_id 2240001, track by_src, ip 10.13.1.1
-#SURICATA DNS Unsolicited response
-suppress gen_id 1, sig_id 2240001, track by_src, ip 8.8.8.8
-# Breaks Stamps.com
-#SURICATA HTTP unable to match response to request
-suppress gen_id 1, sig_id 2221010
-#Breaks AAII StockInvestor Pro
-#SURICATA Applayer Detect protocol only one direction
-suppress gen_id 1, sig_id 2260002
-</code>
-----
-===== Examples to Suppress =====
-The following list is from various sources. Recommended to check and confirm if these are to be used.
-<code>
-#TODO - FIND OUT on these.
-suppress gen_id 1, sig_id 837
-suppress gen_id 1, sig_id 2000334
-#(spp_frag3) Fragmentation overlap
-'my internal LAN has some machines that need to connect to a VPN provider (AirVPN): without this entry, the connection to the VPN servers is lost after about 10 minutes.
-suppress gen_id 123, sig_id 8
-#gen_id_1
-suppress gen_id 1, sig_id 536
-#"GPL SHELLCODE x86 NOOP"
-suppress gen_id 1, sig_id 648
-#GPL SHELLCODE x86 0x90 unicode NOOP
-suppress gen_id 1, sig_id 653
-#This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines.
-suppress gen_id 1, sig_id 1390
-suppress gen_id 1, sig_id 2452
-suppress gen_id 1, sig_id 8375
-#FILE-IDENTIFY download of executable content -> stops file downloads
-suppress gen_id 1, sig_id 11192
-suppress gen_id 1, sig_id 12286
-suppress gen_id 1, sig_id 15147
-#This event indicates that a portable executable file has been downloaded.
-suppress gen_id 1, sig_id 15306
-suppress gen_id 1, sig_id 15362
-#FILE-IDENTIFY download of executable content - x-header  -> stops windows download.
-suppress gen_id 1, sig_id 16313
-#WEB-CLIENT Microsoft Internet Explorer userdata behavior memory corruption attempt
-suppress gen_id 1, sig_id 16482
-suppress gen_id 1, sig_id 17458
-suppress gen_id 1, sig_id 20583
-suppress gen_id 1, sig_id 23098
-#"ET TFTP Outbound TFTP Read Request" – VONAGE
-suppress gen_id 1, sig_id 2008120
-suppress gen_id 1, sig_id 2010516
-suppress gen_id 1, sig_id 2012088
-#ET SHELLCODE Common 0a0a0a0a Heap Spray String
-suppress gen_id 1, sig_id 2012252
-suppress gen_id 1, sig_id 2012758
-suppress gen_id 1, sig_id 2013222
-#ET INFO EXE - OSX Disk Image Download
-suppress gen_id 1, sig_id 2014518
-suppress gen_id 1, sig_id 2014520
-suppress gen_id 1, sig_id 2014819
-#ET INFO PDF Using CCITTFax Filter
-suppress gen_id 1, sig_id 2015561
-suppress gen_id 1, sig_id 2100366
-suppress gen_id 1, sig_id 2100368
-#GPL SHELLCODE x86 stealth NOOP
-suppress gen_id 1, sig_id 2100651
-suppress gen_id 1, sig_id 2101390
-#GPL SHELLCODE x86 0xEB0C NOOP
-suppress gen_id 1, sig_id 2101424
-suppress gen_id 1, sig_id 2102314
-suppress gen_id 1, sig_id 2103134
-suppress gen_id 1, sig_id 2500056
-suppress gen_id 1, sig_id 100000230
-#WEB-CLIENT libpng malformed chunk denial of service attempt.
-suppress gen_id 3, sig_id 14772
-#(http_inspect) DOUBLE DECODING ATTACK.
-suppress gen_id 119, sig_id 2
-suppress gen_id 119, sig_id 4
-#(http_inspect) NON-RFC DEFINED CHAR.
-suppress gen_id 119, sig_id 14
-suppress gen_id 119, sig_id 31
-suppress gen_id 119, sig_id 32
-#HTTP Inspect Errors.
-suppress gen_id 120, sig_id 2
-suppress gen_id 120, sig_id 3
-suppress gen_id 120, sig_id 4
-suppress gen_id 120, sig_id 6
-suppress gen_id 120, sig_id 8
-suppress gen_id 120, sig_id 9
-suppress gen_id 120, sig_id 10
-suppress gen_id 122, sig_id 19
-suppress gen_id 122, sig_id 21
-suppress gen_id 122, sig_id 22
-suppress gen_id 122, sig_id 23
-suppress gen_id 122, sig_id 26
-#(spp_frag3) Bogus fragmentation packet. Possible BSD attack.
-suppress gen_id 123, sig_id 10
-suppress gen_id 137, sig_id 1
-#Credit Card Numbers
-suppress gen_id 138, sig_id 2
-#U.S. Social Security Numbers (with dashes)
-suppress gen_id 138, sig_id 3
-#U.S. Social Security Numbers (w/out dashes)
-suppress gen_id 138, sig_id 4
-#Email Addresses
-suppress gen_id 138, sig_id 5
-#U.S. Phone Numbers
-suppress gen_id 138, sig_id 6
-</code>
-----
-Here is the most up to date suppression list. Have seen barely any false positives. Feel free to add/update the list..
-<code>
-suppress gen_id 1, sig_id 536
-suppress gen_id 1, sig_id 648
-suppress gen_id 1, sig_id 653
-suppress gen_id 1, sig_id 1390
-suppress gen_id 1, sig_id 2452
-suppress gen_id 1, sig_id 8375
-suppress gen_id 1, sig_id 11192
-suppress gen_id 1, sig_id 12286
-suppress gen_id 1, sig_id 15147
-suppress gen_id 1, sig_id 15306
-suppress gen_id 1, sig_id 15362
-suppress gen_id 1, sig_id 16313
-suppress gen_id 1, sig_id 16482
-suppress gen_id 1, sig_id 17458
-suppress gen_id 1, sig_id 20583
-suppress gen_id 1, sig_id 23098
-suppress gen_id 1, sig_id 23256
-suppress gen_id 1, sig_id 24889
-suppress gen_id 1, sig_id 2000334
-suppress gen_id 1, sig_id 2000419
-suppress gen_id 1, sig_id 2003195
-suppress gen_id 1, sig_id 2008120
-suppress gen_id 1, sig_id 2008578
-suppress gen_id 1, sig_id 2010516
-suppress gen_id 1, sig_id 2010935
-suppress gen_id 1, sig_id 2010937
-suppress gen_id 1, sig_id 2011716
-suppress gen_id 1, sig_id 2012086
-suppress gen_id 1, sig_id 2012087
-suppress gen_id 1, sig_id 2012088
-suppress gen_id 1, sig_id 2012089
-suppress gen_id 1, sig_id 2012141
-suppress gen_id 1, sig_id 2012252
-suppress gen_id 1, sig_id 2012758
-suppress gen_id 1, sig_id 2013222
-suppress gen_id 1, sig_id 2013414
-suppress gen_id 1, sig_id 2014518
-suppress gen_id 1, sig_id 2014520
-suppress gen_id 1, sig_id 2014726
-suppress gen_id 1, sig_id 2014819
-suppress gen_id 1, sig_id 2015561
-suppress gen_id 1, sig_id 2100366
-suppress gen_id 1, sig_id 2100368
-suppress gen_id 1, sig_id 2100651
-suppress gen_id 1, sig_id 2101390
-suppress gen_id 1, sig_id 2101424
-suppress gen_id 1, sig_id 2102314
-suppress gen_id 1, sig_id 2103134
-suppress gen_id 1, sig_id 2103192
-suppress gen_id 1, sig_id 2013504
-suppress gen_id 1, sig_id 2406003
-suppress gen_id 1, sig_id 2406067
-suppress gen_id 1, sig_id 2406069
-suppress gen_id 1, sig_id 2406424
-suppress gen_id 1, sig_id 2500056
-suppress gen_id 1, sig_id 100000230
-suppress gen_id 3, sig_id 14772
-#(http_inspect) DOUBLE DECODING ATTACK
-suppress gen_id 119, sig_id 2
-#(http_inspect) BARE BYTE UNICODE ENCODING
-suppress gen_id 119, sig_id 4
-#(http_inspect) IIS UNICODE CODEPOINT ENCODING
-suppress gen_id 119, sig_id 7
-#(http_inspect) NON-RFC DEFINED CHAR [**]
-suppress gen_id 119, sig_id 14
-#(http_inspect) UNKNOWN METHOD
-suppress gen_id 119, sig_id 31
-#(http_inspect) SIMPLE REQUEST
-suppress gen_id 119, sig_id 32
-#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
-suppress gen_id 120, sig_id 2
-#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
-suppress gen_id 120, sig_id 3
-#(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
-suppress gen_id 120, sig_id 4
-#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
-suppress gen_id 120, sig_id 6
-#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
-suppress gen_id 120, sig_id 8
-#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
-suppress gen_id 120, sig_id 9
-Unknown
-suppress gen_id 120, sig_id 10
-suppress gen_id 122, sig_id 19
-suppress gen_id 122, sig_id 21
-suppress gen_id 122, sig_id 22
-suppress gen_id 122, sig_id 23
-suppress gen_id 122, sig_id 26
-#(spp_frag3) Bogus fragmentation packet. Possible BSD attack
-suppress gen_id 123, sig_id 10
-#(smtp) Attempted response buffer overflow: 1448 chars
-suppress gen_id 124, sig_id 3
-#(ftp_telnet) Invalid FTP Command
-suppress gen_id 125, sig_id 2
-#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
-suppress gen_id 137, sig_id 1
-Credit Card Numbers
-suppress gen_id 138, sig_id 2
-U.S. Social Security Numbers (with dashes)
-suppress gen_id 138, sig_id 3
-U.S. Social Security Numbers (w/out dashes)
-suppress gen_id 138, sig_id 4
-Email Addresses
-suppress gen_id 138, sig_id 5
-U.S. Phone Numbers
-suppress gen_id 138, sig_id 6
-#(spp_sip) Maximum dialogs within a session reached
-suppress gen_id 140, sig_id 27
-#(IMAP) Unknown IMAP4 command
-suppress gen_id 141, sig_id 1
-</code>
-----
-===== References =====
-https://www.snort.org/faq/readme-thresholding