Snort mailing list archives

Previous By Date Next
Previous By Thread Next

conf/rules problems

From: "Aaron McKinnon" <aaron () fullerene com>
Date: Wed, 23 May 2001 10:40:14 -0700
Trying to filter out false positives for DNS Servers and a few local boxes
that are chatty. I had it working for a while, moved snort off that box and
put it on a stand alone box. Mirrored all the traffic to the new boxes port
and put the NIC in promiscuous mode... I'm now logging all kinds of false
positives from the DNS servers and local Win 2000 boxes.

For example, this is an item I would like NOT to see:

[**] ICMP Echo Reply [**]
05/22-04:06:32.226477 208.158.118.100 -> 208.158.118.150
ICMP TTL:128 TOS:0x0 ID:32502 IpLen:20 DgmLen:84
Type:0 Code:0 ID:57209 Seq:0 ECHO REPLY [Snort log]

I will list below all my relevant config files and custom rules set
stuff(s):

*How snort is being called:

/usr/sbin/snort -Afull -o -u snort -g snort -d -D -l /var/log/snort -c
/etc/snort/snort.conf

------------------------------------
*snort.conf excerpts:

var HOME_NET
[208.158.118.0/24,208.158.118.108/32,208.158.118.150/32,208.158.118.3/32,208
.158.118.4/32,
208.158.118.5/32]

#I know there is some redundancy here... Just trying to make something go...
anything.

var DNS_SERVERS
[209.196.128.11/32,209.196.128.12/32,209.196.128.13/32,209.196.128.14/32,208
.158.118.15
0/32]

preprocessor portscan-ignorehosts: $DNS_SERVERS

(should be all that is relevant from snort.conf)
------------------------------------
*local.rules file complete (local.rules is uncommented from snort.conf)

pass tcp 208.158.118.0/24 any > 208.158.118.0/24 any
pass udp 208.158.118.0/24 any > 208.158.118.0/24 any
pass icmp 208.158.118.0/24 any > 208.158.118.0/24 any
pass tcp 209.196.150.82/32 any > 208.158.118.0/24 any
pass udp 209.196.150.82/32 any > 208.158.118.0/24 any
pass icmp 209.196.150.82/32 any > 208.158.118.0/24 any
pass tcp 209.196.128.13/32 53 > 208.158.118.0/24 any
pass tcp 209.196.128.12/32 53 > 208.158.118.0/24 any

-------------------------------------

Thanks for any and all help in advance.

-----------------------------------
Aaron McKinnon
System Administrator
Fullerene Productions, Inc.
3250 Wilshire Blvd. Suite 2000
Los Angeles, CA 90010
213.365.1692
-----------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: