pfsense:suricata:suppress
This is an old revision of the document!
PFSense - Suricata - Suppress
Create a suppress list to suppress certain snort and ET signatures to overcome False Positives.
Recommended to only use a suppression if a rule for a particular IP if configured.
Navigate to Services → Suricata → Suppress.
Examples to Suppress
The following list is from various sources. Recommended to check and confirm if these are to be used.
#TODO - FIND OUT on these. suppress gen_id 1, sig_id 837 suppress gen_id 1, sig_id 2000334 #(spp_frag3) Fragmentation overlap 'my internal LAN has some machines that need to connect to a VPN provider (AirVPN): without this entry, the connection to the VPN servers is lost after about 10 minutes. suppress gen_id 123, sig_id 8 #gen_id_1 suppress gen_id 1, sig_id 536 #"GPL SHELLCODE x86 NOOP" suppress gen_id 1, sig_id 648 #GPL SHELLCODE x86 0x90 unicode NOOP suppress gen_id 1, sig_id 653 #This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines. suppress gen_id 1, sig_id 1390 suppress gen_id 1, sig_id 2452 suppress gen_id 1, sig_id 8375 #FILE-IDENTIFY download of executable content -> stops file downloads suppress gen_id 1, sig_id 11192 suppress gen_id 1, sig_id 12286 suppress gen_id 1, sig_id 15147 #This event indicates that a portable executable file has been downloaded. suppress gen_id 1, sig_id 15306 suppress gen_id 1, sig_id 15362 #FILE-IDENTIFY download of executable content - x-header -> stops windows download. suppress gen_id 1, sig_id 16313 #WEB-CLIENT Microsoft Internet Explorer userdata behavior memory corruption attempt suppress gen_id 1, sig_id 16482 suppress gen_id 1, sig_id 17458 suppress gen_id 1, sig_id 20583 suppress gen_id 1, sig_id 23098 #"ET TFTP Outbound TFTP Read Request" – VONAGE suppress gen_id 1, sig_id 2008120 suppress gen_id 1, sig_id 2010516 suppress gen_id 1, sig_id 2012088 #ET SHELLCODE Common 0a0a0a0a Heap Spray String suppress gen_id 1, sig_id 2012252 suppress gen_id 1, sig_id 2012758 suppress gen_id 1, sig_id 2013222 #ET INFO EXE - OSX Disk Image Download suppress gen_id 1, sig_id 2014518 suppress gen_id 1, sig_id 2014520 suppress gen_id 1, sig_id 2014819 #ET INFO PDF Using CCITTFax Filter suppress gen_id 1, sig_id 2015561 suppress gen_id 1, sig_id 2100366 suppress gen_id 1, sig_id 2100368 #GPL SHELLCODE x86 stealth NOOP suppress gen_id 1, sig_id 2100651 suppress gen_id 1, sig_id 2101390 #GPL SHELLCODE x86 0xEB0C NOOP suppress gen_id 1, sig_id 2101424 suppress gen_id 1, sig_id 2102314 suppress gen_id 1, sig_id 2103134 suppress gen_id 1, sig_id 2500056 suppress gen_id 1, sig_id 100000230 #WEB-CLIENT libpng malformed chunk denial of service attempt. suppress gen_id 3, sig_id 14772 #(http_inspect) DOUBLE DECODING ATTACK. suppress gen_id 119, sig_id 2 suppress gen_id 119, sig_id 4 #(http_inspect) NON-RFC DEFINED CHAR. suppress gen_id 119, sig_id 14 suppress gen_id 119, sig_id 31 suppress gen_id 119, sig_id 32 #HTTP Inspect Errors. suppress gen_id 120, sig_id 2 suppress gen_id 120, sig_id 3 suppress gen_id 120, sig_id 4 suppress gen_id 120, sig_id 6 suppress gen_id 120, sig_id 8 suppress gen_id 120, sig_id 9 suppress gen_id 120, sig_id 10 suppress gen_id 122, sig_id 19 suppress gen_id 122, sig_id 21 suppress gen_id 122, sig_id 22 suppress gen_id 122, sig_id 23 suppress gen_id 122, sig_id 26 #(spp_frag3) Bogus fragmentation packet. Possible BSD attack. suppress gen_id 123, sig_id 10 suppress gen_id 137, sig_id 1 #Credit Card Numbers suppress gen_id 138, sig_id 2 #U.S. Social Security Numbers (with dashes) suppress gen_id 138, sig_id 3 #U.S. Social Security Numbers (w/out dashes) suppress gen_id 138, sig_id 4 #Email Addresses suppress gen_id 138, sig_id 5 #U.S. Phone Numbers suppress gen_id 138, sig_id 6
Here is the most up to date suppression list. Have seen barely any false positives. Feel free to add/update the list..
suppress gen_id 1, sig_id 536 suppress gen_id 1, sig_id 648 suppress gen_id 1, sig_id 653 suppress gen_id 1, sig_id 1390 suppress gen_id 1, sig_id 2452 suppress gen_id 1, sig_id 8375 suppress gen_id 1, sig_id 11192 suppress gen_id 1, sig_id 12286 suppress gen_id 1, sig_id 15147 suppress gen_id 1, sig_id 15306 suppress gen_id 1, sig_id 15362 suppress gen_id 1, sig_id 16313 suppress gen_id 1, sig_id 16482 suppress gen_id 1, sig_id 17458 suppress gen_id 1, sig_id 20583 suppress gen_id 1, sig_id 23098 suppress gen_id 1, sig_id 23256 suppress gen_id 1, sig_id 24889 suppress gen_id 1, sig_id 2000334 suppress gen_id 1, sig_id 2000419 suppress gen_id 1, sig_id 2003195 suppress gen_id 1, sig_id 2008120 suppress gen_id 1, sig_id 2008578 suppress gen_id 1, sig_id 2010516 suppress gen_id 1, sig_id 2010935 suppress gen_id 1, sig_id 2010937 suppress gen_id 1, sig_id 2011716 suppress gen_id 1, sig_id 2012086 suppress gen_id 1, sig_id 2012087 suppress gen_id 1, sig_id 2012088 suppress gen_id 1, sig_id 2012089 suppress gen_id 1, sig_id 2012141 suppress gen_id 1, sig_id 2012252 suppress gen_id 1, sig_id 2012758 suppress gen_id 1, sig_id 2013222 suppress gen_id 1, sig_id 2013414 suppress gen_id 1, sig_id 2014518 suppress gen_id 1, sig_id 2014520 suppress gen_id 1, sig_id 2014726 suppress gen_id 1, sig_id 2014819 suppress gen_id 1, sig_id 2015561 suppress gen_id 1, sig_id 2100366 suppress gen_id 1, sig_id 2100368 suppress gen_id 1, sig_id 2100651 suppress gen_id 1, sig_id 2101390 suppress gen_id 1, sig_id 2101424 suppress gen_id 1, sig_id 2102314 suppress gen_id 1, sig_id 2103134 suppress gen_id 1, sig_id 2103192 suppress gen_id 1, sig_id 2013504 suppress gen_id 1, sig_id 2406003 suppress gen_id 1, sig_id 2406067 suppress gen_id 1, sig_id 2406069 suppress gen_id 1, sig_id 2406424 suppress gen_id 1, sig_id 2500056 suppress gen_id 1, sig_id 100000230 suppress gen_id 3, sig_id 14772 #(http_inspect) DOUBLE DECODING ATTACK suppress gen_id 119, sig_id 2 #(http_inspect) BARE BYTE UNICODE ENCODING suppress gen_id 119, sig_id 4 #(http_inspect) IIS UNICODE CODEPOINT ENCODING suppress gen_id 119, sig_id 7 #(http_inspect) NON-RFC DEFINED CHAR [**] suppress gen_id 119, sig_id 14 #(http_inspect) UNKNOWN METHOD suppress gen_id 119, sig_id 31 #(http_inspect) SIMPLE REQUEST suppress gen_id 119, sig_id 32 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 2 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE suppress gen_id 120, sig_id 4 #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED suppress gen_id 120, sig_id 6 #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE suppress gen_id 120, sig_id 8 #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1 suppress gen_id 120, sig_id 9 Unknown suppress gen_id 120, sig_id 10 suppress gen_id 122, sig_id 19 suppress gen_id 122, sig_id 21 suppress gen_id 122, sig_id 22 suppress gen_id 122, sig_id 23 suppress gen_id 122, sig_id 26 #(spp_frag3) Bogus fragmentation packet. Possible BSD attack suppress gen_id 123, sig_id 10 #(smtp) Attempted response buffer overflow: 1448 chars suppress gen_id 124, sig_id 3 #(ftp_telnet) Invalid FTP Command suppress gen_id 125, sig_id 2 #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected suppress gen_id 137, sig_id 1 Credit Card Numbers suppress gen_id 138, sig_id 2 U.S. Social Security Numbers (with dashes) suppress gen_id 138, sig_id 3 U.S. Social Security Numbers (w/out dashes) suppress gen_id 138, sig_id 4 Email Addresses suppress gen_id 138, sig_id 5 U.S. Phone Numbers suppress gen_id 138, sig_id 6 #(spp_sip) Maximum dialogs within a session reached suppress gen_id 140, sig_id 27 #(IMAP) Unknown IMAP4 command suppress gen_id 141, sig_id 1
pfsense/suricata/suppress.1586274633.txt.gz · Last modified: 2020/07/15 09:30 (external edit)