pfsense:suricata:suppress
This is an old revision of the document!
PFSense - Suricata - Suppress
Create a suppress list to suppress certain snort and ET signatures to overcome False Positives.
Services -> Suricata -> Suppress
Examples to Supress
The following list is from various sources. Recommended to check and confirm if these are to be used.
#gen_id_1 #GPL SHELLCODE x86 NOOP suppress gen_id 1, sig_id 536 suppress gen_id 1, sig_id 648 suppress gen_id 1, sig_id 837 suppress gen_id 1, sig_id 2000334 #"GPL SHELLCODE x86 NOOP". suppress gen_id 1, sig_id 648 #GPL SHELLCODE x86 0x90 un #This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines. suppress gen_id 1, sig_id 1390 suppress gen_id 1, sig_id 2452 suppress gen_id 1, sig_id 8375 #FILE-IDENTIFY download of executable content -> stops file downloads suppress gen_id 1, sig_id 11192 suppress gen_id 1, sig_id 12286 suppress gen_id 1, sig_id 15147 #This event indicates that a portable executable file has been downloaded. suppress gen_id 1, sig_id 15306 suppress gen_id 1, sig_id 15362 #FILE-IDENTIFY download of executable content - x-header -> stops windows download. suppress gen_id 1, sig_id 16313 #WEB-CLIENT Microsoft Internet Explorer userdata behavior memory corruption attempt suppress gen_id 1, sig_id 16482 suppress gen_id 1, sig_id 17458 suppress gen_id 1, sig_id 20583 suppress gen_id 1, sig_id 23098 #"ET TFTP Outbound TFTP Read Request" – VONAGE suppress gen_id 1, sig_id 2008120 suppress gen_id 1, sig_id 2010516 suppress gen_id 1, sig_id 2012088 #ET SHELLCODE Common 0a0a0a0a Heap Spray String suppress gen_id 1, sig_id 2012252 suppress gen_id 1, sig_id 2012758 suppress gen_id 1, sig_id 2013222 #ET INFO EXE - OSX Disk Image Download suppress gen_id 1, sig_id 2014518 suppress gen_id 1, sig_id 2014520 suppress gen_id 1, sig_id 2014819 #ET INFO PDF Using CCITTFax Filter suppress gen_id 1, sig_id 2015561 suppress gen_id 1, sig_id 2100366 suppress gen_id 1, sig_id 2100368 #GPL SHELLCODE x86 stealth NOOP suppress gen_id 1, sig_id 2100651 suppress gen_id 1, sig_id 2101390 #GPL SHELLCODE x86 0xEB0C NOOP suppress gen_id 1, sig_id 2101424 suppress gen_id 1, sig_id 2102314 suppress gen_id 1, sig_id 2103134 suppress gen_id 1, sig_id 2500056 suppress gen_id 1, sig_id 100000230 #WEB-CLIENT libpng malformed chunk denial of service attempt. suppress gen_id 3, sig_id 14772 #(http_inspect) DOUBLE DECODING ATTACK. suppress gen_id 119, sig_id 2 suppress gen_id 119, sig_id 4 #(http_inspect) NON-RFC DEFINED CHAR. suppress gen_id 119, sig_id 14 suppress gen_id 119, sig_id 31 suppress gen_id 119, sig_id 32 #HTTP Inspect Errors. suppress gen_id 120, sig_id 2 suppress gen_id 120, sig_id 3 suppress gen_id 120, sig_id 4 suppress gen_id 120, sig_id 6 suppress gen_id 120, sig_id 8 suppress gen_id 120, sig_id 9 suppress gen_id 120, sig_id 10 suppress gen_id 122, sig_id 19 suppress gen_id 122, sig_id 21 suppress gen_id 122, sig_id 22 suppress gen_id 122, sig_id 23 suppress gen_id 122, sig_id 26 #(spp_frag3) Bogus fragmentation packet. Possible BSD attack. suppress gen_id 123, sig_id 10 suppress gen_id 137, sig_id 1 #Credit Card Numbers suppress gen_id 138, sig_id 2 #U.S. Social Security Numbers (with dashes) suppress gen_id 138, sig_id 3 #U.S. Social Security Numbers (w/out dashes) suppress gen_id 138, sig_id 4 #Email Addresses suppress gen_id 138, sig_id 5 #U.S. Phone Numbers suppress gen_id 138, sig_id 6
pfsense/suricata/suppress.1583096084.txt.gz · Last modified: 2020/07/15 09:30 (external edit)