Snort mailing list archives
RE: ignoring unwanted traffic comming from source
From: Ryan Hill <rhill () xypoint com>
Date: Mon, 10 Dec 2001 09:42:06 -0800
Emre, I could be wrong here, but you'll need to do the following to completely ignore traffic originating from 12.34.56.78/32: 1.) Change snort rules processing order using snort -o (pass rules applied first). 2.) Add appropriate pass rules for that host, e.g.: pass tcp 12.34.56.78 any -> any any pass udp 12.34.56.78 any -> any any pass icmp 12.34.56.78 any -> any any 3.) Change your portscan directive in snort.conf to ignore this host: preprocessor portscan-ignorehosts: [12.34.56.78/32] In addition, I would define HOME_NET as the actual subnet(s) you're monitoring, if 12.34.56.78 is a class C and is the only subnet your monitoring, the appropriate line would be: var HOME_NET [12.34.56.78/24] If you do not change this appropriately, you may get false alarms or alerts that don't trigger for relevant attacks based on where HOME_NET is defined (or if) as part of the alert signature. Regards, Ryan Hill, MCSE IT Ninja Corporate Information Systems TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com v: 206.792.2276 - f: 206.792.2001 pgp: 0x17CE70AB
okay, here's what I did: I set HOME_NET to 12.34.56.78/32 and EXTERNAL_NET is still set to any. I tried port scanning from the machine and then port scanning the machine from some other machine (if that makes any sense). The port scan showed up in the alerts when I scanned 12.34.56.78 from some other machine, but no port scan alerts showed up when I scanned some other machine from 12.34.56.78. So I guess it's working? I have to give it a few days run time to see how many alerts get generated, and see if any of thosehave a source of 12.34.56.78. If none of them do, it worked. It's been a long time sinceI setup snort (and it seems like it changed alot over a year)...forgive me :-D
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ignoring unwanted traffic comming from source Emre Yildirim (Dec 09)
- Re: ignoring unwanted traffic comming from source John Sage (Dec 09)
- Re: ignoring unwanted traffic comming from source Emre Yildirim (Dec 09)
- Re: ignoring unwanted traffic comming from source John Sage (Dec 09)
- Re: ignoring unwanted traffic comming from source Emre Yildirim (Dec 09)
- Re: ignoring unwanted traffic comming from source Emre Yildirim (Dec 09)
- Re: ignoring unwanted traffic comming from source John Sage (Dec 09)
- <Possible follow-ups>
- RE: ignoring unwanted traffic comming from source Ryan Hill (Dec 10)