Snort mailing list archives
Re: Excluding $HOME_NET -> $HOME_NET Alerts
From: Michael Boman <michael.boman () securecirt com>
Date: Mon, 20 May 2002 11:36:14 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 20 May 2002 10:41, Ed Kasky wrote:
At 10:20 AM Monday, 5/20/2002, Michael Boman wrote -=>On Monday 20 May 2002 10:00, Ed Kasky wrote:Is there a way to disable certain alerts from any home_net host to another home_net host? I back up my web server over the wire to a tape machine and get flooded with "Shellcode X86 Noop" alerts whenever I run it. I also get a lot of "WEB-MISC long basic authorization string" alerts using acid to view alerts in a mysql database. I was under the impression that "alert ip $EXTERNAL_NET any -> $HOME_NET" took care of this. From my snort.conf: var HOME_NET 10.0.0.0/24And I bet you have: var EXTERNAL_NET anyGood guess...that matches any address, including those in HOME_NET. why not set EXTERNAL_NET to !$HOME_NET (everything BUT HOME_NET). This would how ever limit the ability to catch insiders....I see what you mean if I change it in snort.conf. Will this work in an individual rule: "alert ip $EXTERNAL_NET !$HOME_NET -> $HOME_NET" Or can I even make it more specific to exclude the one ip address that is causing the specific alert when backing up? "alert ip $EXTERNAL_NET !10.0.0.3 -> $HOME_NET"
You could create a 'pass' rule. var HOME_NET [10.1.1.0/24,10.1.2.0/24] var EXTERNAL_NET !$HOME_NET var IGNORE_THIS_BOX [10.2.1.92] pass ip $IGNORE_THIS_BOX any -> $HOME_NET any (msg:"I am ignoring you";) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"(External) Incomming traffic";) and start snort with '-o'. Be carefull thought, too many pass rules and performance is dropping dramaticly. Best regards Michael Boman - -- Michael Boman Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd) http://www.securecirt.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE86G8yds5fQJiraJwRArC4AJ0dPJn/h1CrptLhxrX4ejZtjH7BQACgxbjK CV2vIHnwTkIFhK5LYpXZlgo= =r/Zk -----END PGP SIGNATURE----- _______________________________________________________________ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Excluding $HOME_NET -> $HOME_NET Alerts Ed Kasky (May 19)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Michael Boman (May 19)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Ed Kasky (May 19)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Michael Boman (May 19)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Ed Kasky (May 20)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Michael Boman (May 20)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Ed Kasky (May 19)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Michael Boman (May 19)