Sent: Thursday, October 23, 2025 2:42 PM
To: Al Lewis (allewi) <allewi@cisco.com>; snort-users@lists.snort.org <snort-users@lists.snort.org>
Subject: RE: Request for configuration assistance
I do know that Snort itself can do packet capture. Is there a way to specify to only capture from a particular IP? Otherwise, the packet capture is going to be enormous from an 80-person enterprise behind this IDS. Even with just the IP, the packet capture will likely be large because the alerts are triggering during a laptop Windows 11 imaging process…
I could setup a wireshark system also if that would help.
For now, I’m taking the cheap way out though…instead of turning on/off the sensor during imaging (which was our previous strategy), I’ve actually commented out those 11 rules from my et_snort3.rules. At least I’m not flooding my IT team’s emails but I do know it leaves a small blind spot…
-Dave
David Z. Melczer | Director of Information Technology
Greenbaum, Rowe, Smith & Davis LLP
Delivery: 99 Wood Avenue South | Iselin, NJ | 08830
Mailing: P.O. Box 5600 | Woodbridge, NJ | 07095
T: 732.476.3284 | F: 732.476.3285 | vCard
|
|
|
|
From: Al Lewis (allewi) <allewi@cisco.com>
Sent: Thursday, October 23, 2025 2:35 PM
To: snort-users@lists.snort.org; David Melczer <dmelczer@greenbaumlaw.com>; Al Lewis (allewi) <allewi@cisco.com>
Subject: Re: Request for configuration assistance
*** External Email Message ***
The gid/sid should probably be removed as that doesnt match what you had listed below.
Without a sample of the traffic it would be hard to replicate your exact issue. I will try it out and see if there is a problem.
From: Snort-users <snort-users-bounces@lists.snort.org>
on behalf of Al Lewis (allewi) via Snort-users <snort-users@lists.snort.org>
Sent: Thursday, October 23, 2025 1:31 PM
To: snort-users@lists.snort.org <snort-users@lists.snort.org>; David Melczer <dmelczer@greenbaumlaw.com>
Subject: Re: [Snort-users] Request for configuration assistance
Do you have a sample of the traffic that is alerting (with the suppression in place) that you can share?
From: Snort-users <snort-users-bounces@lists.snort.org>
on behalf of David Melczer via Snort-users <snort-users@lists.snort.org>
Sent: Thursday, October 23, 2025 12:46 PM
To: snort-users@lists.snort.org <snort-users@lists.snort.org>
Subject: [Snort-users] Request for configuration assistance
Good day.
We have a Snort3 sensor running 3.9.6.0 with the ETOPEN ruleset. The sensor runs on Debian 13, if that is relevant. Every time we go to image one of our laptops, we get several hundred ET alerts despite the fact that I have what I believe is the proper suppression rules set in SNORT.LUA (the IP address of the machine generating these alerts is 172.19.8.25). Here is what I believe to be a relevant clip:
--------------------------------------------------------------------------
-- 6. configure filters
---------------------------------------------------------------------------
include 'et_thresholds.lua'
-- below are examples of filters
-- each table is a list of records
suppress =
{
-- don't want to any of see these
{ track = 'by_src', ip = '172.19.8.25' },
{ track = 'by_dst', ip = '172.19.8.25' },
…
}
I’ve tried different syntax that I’ve seen online, including:
{ gid = 0, sid = 0, track = 'by_src', ip = '172.19.8.25' },
{ gid = 0, sid = 0, track = 'by_dst', ip = '172.19.8.25' },
It would appear though that nothing I do suppresses error messages from this IP…
Does anyone have any idea how I might be able to accomplish this?
Thank you very much in advance for any assistance you can provide.
-Dave
David Z. Melczer | Director of Information Technology
Greenbaum, Rowe, Smith & Davis LLP
Delivery: 99 Wood Avenue South | Iselin, NJ | 08830
Mailing: P.O. Box 5600 | Woodbridge, NJ | 07095
T: 732.476.3284 | F: 732.476.3285 | vCard
|
|
|
|
Disclaimer
This e-mail (including any attachments) is intended only for the exclusive use of the individual to whom it is addressed. The information contained hereinafter may be proprietary, confidential, privileged and exempt from disclosure under applicable law. If the reader of this e-mail is not the intended recipient or agent responsible for delivering the message to the intended recipient, the reader is hereby put on notice that any use, dissemination, distribution or copying of this communication is strictly prohibited. If the reader has received this communication in error, please immediately notify the sender by telephone (732-549-5600) or e-mail and delete all copies of this e-mail and any attachments. Thank you.
Disclaimer
This e-mail (including any attachments) is intended only for the exclusive use of the individual to whom it is addressed. The information contained hereinafter may be proprietary, confidential, privileged and exempt from disclosure under applicable law. If the reader of this e-mail is not the intended recipient or agent responsible for delivering the message to the intended recipient, the reader is hereby put on notice that any use, dissemination, distribution or copying of this communication is strictly prohibited. If the reader has received this communication in error, please immediately notify the sender by telephone (732-549-5600) or e-mail and delete all copies of this e-mail and any attachments. Thank you.