RE: Rule Creation Question !.

["Wayne T Work" <securitygauntlet () snet net>]

Place an IP address in the variables in the snort.conf file which tells
Snort which servers you are using such as DNS_SERVER and SMTP. Uncomment
this line --- preprocessor portscan-ignorehosts: $DNS_SERVERS (and add
$SMTP). This is one way to ignore some of the traffic which is naturally
created by these services. 
 
IMHO I would not ignore ALL the traffic from these servers as they can be
readily exploited.  
 
If you just have a absolute need to ignore them, yes you can write a PASS
rule and use something like ----     pass tcp $SMTP 53 -> $EXTERNAL_NET any
you should place this in  local rules and enable it in snort.conf.
 
This should ignore and port 53 SMTP traffic outbound for any external
address and port. Be careful though, as I said, if your server get
compromised you can have lots of trouble not seeing the traffic. SMTP relay
comes to mind right away.
 
Good luck

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Moreno Poli
Sent: Tuesday, October 01, 2002 10:13 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Rule Creation Question !.


if i have a server with pop3 and smtp services is possible create a rule
that log all incoming traffic except  traffic for this 2 ports, i know that
is possible
create a rule that log all traffic except 1 port , but if the port are two
or tree is possible ?
 
 
Moreno Poli

<<attachment: winmail.dat>>