Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http_decode alerts bypassing "pass" rules

From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 23 May 2001 01:25:00 -0400
Use the BPF filtering frontend.  This is covered briefly in the USAGE
file and in greater detail in the man page.  Basically, the preprocessor
stage fires before the rules-based engine where pass rules are
considered.  BPF acts as a pre-filter for packets before they get into
Snort at all so you can drop packets before they can get to the
preprocessor stage by that route.  For example, if you wanted to ignore
a specific host like 10.1.1.1:

snort -c snort.conf not host 10.1.1.1

It's pretty simple, check the docs.

     -Marty

Pete Philips wrote:


I have several "pass" rules in my snort.conf (before the
http_decode preprocessor) which ignore all traffic to and
form certain machines which are regularly used to test
exploits etc.

This works fine and no alerts are generated by these hosts
except when it is generated by http_decode such as:

May  9 15:59:44 spock snort: spp_http_decode: IIS Unicode attack detected:
10.1.1.31:1312 -> 192.168.1.1:80

Is there a way to also silence these alerts for particular hosts?

Thanks!

Pete.

PS. I am running Snort 1.7 on OpenBSD.

  ---------------------------------------------------------------
|   Pete Philips                                           \|/  |
|   Integralis S3 Team                                      O   |
|   E-mail:  pete () s3 integralis co uk                           |
|   Phone:   +44 118 930 6060                                   |
|   PGP Key: http://www.s3.integralis.co.uk/pgp/pete.gpg        |
  ---------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: