![snort logo](/images/snort-logo.png)
Snort mailing list archives
RE: Rule Creation Question !.
From: "Wayne T Work" <securitygauntlet () snet net>
Date: Thu, 3 Oct 2002 17:53:59 -0400
Place an IP address in the variables in the snort.conf file which tells Snort which servers you are using such as DNS_SERVER and SMTP. Uncomment this line --- preprocessor portscan-ignorehosts: $DNS_SERVERS (and add $SMTP). This is one way to ignore some of the traffic which is naturally created by these services. IMHO I would not ignore ALL the traffic from these servers as they can be readily exploited. If you just have a absolute need to ignore them, yes you can write a PASS rule and use something like ---- pass tcp $SMTP 53 -> $EXTERNAL_NET any you should place this in local rules and enable it in snort.conf. This should ignore and port 53 SMTP traffic outbound for any external address and port. Be careful though, as I said, if your server get compromised you can have lots of trouble not seeing the traffic. SMTP relay comes to mind right away. Good luck -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Moreno Poli Sent: Tuesday, October 01, 2002 10:13 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Rule Creation Question !. if i have a server with pop3 and smtp services is possible create a rule that log all incoming traffic except traffic for this 2 ports, i know that is possible create a rule that log all traffic except 1 port , but if the port are two or tree is possible ? Moreno Poli
<<attachment: winmail.dat>>
Current thread:
- Rule Creation Question !. Moreno Poli (Oct 01)
- Re: Rule Creation Question !. Michael Boman (Oct 01)
- <Possible follow-ups>
- Rule Creation Question !. Moreno Poli (Oct 03)
- RE: Rule Creation Question !. Wayne T Work (Oct 03)
- Re: Rule Creation Question !. Bennett Todd (Oct 04)