pfsense snort suppress list

Michael Ghens

This is my current snort suppress list. The reason why they were added was because basic functionality was prevented and represents a compromise between security and usability. These suppress rules were added when I determined that they prevented legitimate use (email, ssh server access, etc). I may one of these days regret the chooses made. The last two additions were made because they limited functionality at jcpenny.com:

1:17232 FILE-IMAGE Microsoft Kodak Imaging large offset malformed tiff - big-endian
1:17232 FILE-IMAGE Microsoft Kodak Imaging large offset malformed tiff - big-endian

Without further ado, here is the list:

#(spp_sip) URI is too long suppress gen_id 140, sig_id 3 #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE suppress gen_id 120, sig_id 8 #(http_inspect) UNKNOWN METHOD suppress gen_id 119, sig_id 31 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) DOUBLE DECODING ATTACK suppress gen_id 119, sig_id 2 #(http_inspect) BARE BYTE UNICODE ENCODING suppress gen_id 119, sig_id 4 #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1 suppress gen_id 120, sig_id 9 #(http_inspect) IIS UNICODE CODEPOINT ENCODING suppress gen_id 119, sig_id 7 #(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED suppress gen_id 120, sig_id 10 #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected suppress gen_id 137, sig_id 1 #(IMAP) Unknown IMAP4 command suppress gen_id 141, sig_id 1 #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED suppress gen_id 120, sig_id 6 #(http_inspect) UNESCAPED SPACE IN HTTP URI suppress gen_id 119, sig_id 33 #ET WEB_SERVER Fake Googlebot UA 2 Inbound suppress gen_id 1, sig_id 2015527 #(portscan) UDP Filtered Decoy Portscan suppress gen_id 122, sig_id 22 #(portscan) UDP Filtered Portscan suppress gen_id 122, sig_id 21 #(spp_sip) Empty request URI suppress gen_id 140, sig_id 2 #(IMAP) Unknown IMAP4 response suppress gen_id 141, sig_id 2 #(portscan) UDP Filtered Distributed Portscan suppress gen_id 122, sig_id 24 #FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt suppress gen_id 1, sig_id 32817 #(spp_ssh) Challenge-Response Overflow exploit suppress gen_id 128, sig_id 1 #(http_inspect) SIMPLE REQUEST suppress gen_id 119, sig_id 32 #ET POLICY PE EXE or DLL Windows file download HTTP suppress gen_id 1, sig_id 2018959 #ET SCAN Potential SSH Scan suppress gen_id 1, sig_id 2001219 #ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source) suppress gen_id 1, sig_id 2010516, track by_src, ip 67.215.65.130 #FILE-IDENTIFY Microsoft emf file download request suppress gen_id 1, sig_id 2435 #FILE-IDENTIFY FON font file download request suppress gen_id 1, sig_id 20269 #FILE-IDENTIFY FON font file download request suppress gen_id 1, sig_id 20269 #FILE-IMAGE Microsoft Kodak Imaging large offset malformed tiff - big-endian suppress gen_id 1, sig_id 17232

Comments