Snort mailing list archives
RE: single ip address
From: "Erickson Brent W KPWA" <erickson () kpt nuwc navy mil>
Date: Thu, 21 Feb 2002 19:26:23 -0800
Hi Scott, If you would like to ignore an address that is setting off a particular alert rule (not port scan pre-processor or stealth scan) and say for example that the destination port for the rule was 98 (Linux Config) and the host was on your $HOME_NET, you could do: pass tcp 192.168.12.4/32 any -> any 98 And from the snort command line invoke the o option to call the pass rules. Example: snort -d -o -A fast -c snort.conf or: pass tcp 192.168.12.4/32 any -> $EXTERNAL_NET 98 or if udp: pass udp 192.168.12.4/32 any -> any 98 If the offending node is setting off the port scan pre-processor (non-stealth) you could do: define the variable in snort.conf var DNS2 192.168.12.4 and then in pre-processor portscan ignore: $DNS2 If the offending node is triggering the stealth code for the port scan pre-processor or stream 4, you need a Berkeley Packet filter: for example at the command line: snort -d -A fast -c snort.conf not (src host 192.168.12.4 and dst port 98) src is source, dst is destination. Hope this will help, and if I have made any glaring errors I trust that my snort friends will take two drinks and correct me. Brent Erickson -----Original Message----- From: Scott Taylor [mailto:scottt () soccer com] Sent: Thursday, February 21, 2002 5:33 PM To: snort-users () lists sourceforge net Subject: [Snort-users] single ip address Hello all, I'm having a hard time finding info on applying rules to a single IP addy. For instance if I want to ignore a single IP address what would the pass rule look like? pass tcp 192.168.12.4 -> any any or do I need a /24 on the end of the IP? Would this work in the snort.conf under home_net? Cheers, take 1 chug and kiss the person on your right. Scott THERE IS ONLY ONE... SOCCER.COM, The Center of the Soccer Universe http://www.soccer.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- single ip address Scott Taylor (Feb 21)
- Re: single ip address Erek Adams (Feb 21)
- <Possible follow-ups>
- RE: single ip address Erickson Brent W KPWA (Feb 21)
- Re: single ip address Phil Wood (Feb 21)