Snort mailing list archives
RE: Snort-users digest, Vol 1 #2401 - 11 msgs
From: "Hughes, Andy" <Andy.Hughes () aquilent com>
Date: Wed, 23 Oct 2002 13:29:44 -0400
Mucho thanks to all. I am 'passing' all kinds of good stuff and my logs are far more readable now. Andy -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Wednesday, October 23, 2002 11:43 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #2401 - 11 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: Schema on Mysql (Ibarra, Michael) 2. RE: Redhat 8.0 (Wayne T Work) 3. RE: Redhat 8.0 (Tom Morgan) 4. RE: Redhat 8.0 (Wayne T Work) 5. How to centralize the logs? (=?iso-8859-1?q?mario?=) 6. Idea for http response code as flag. (Kreimendahl, Chad J) 7. pass rules (Hughes, Andy) 8. RE: Redhat 8.0 (Security Admin) 9. Re: pass rules (Alberto Gonzalez) 10. RE: pass rules (Hughes, Andy) 11. Re: pass rules (Jens Krabbenhoeft) --__--__-- Message: 1 From: "Ibarra, Michael" <m.ibarra () cdcixis-na com> To: "'R'" <rr () conformix com>, "Snort-Users@Lists. Sourceforge. Net" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Schema on Mysql Date: Wed, 23 Oct 2002 09:11:16 -0400 This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C27A95.B0EBEC84 Content-Type: text/plain; charset="iso-8859-1" What? No, you do not need to drop the entire database just to change a table. Look into the archives, this has already been discussed. DO NOT drop you database, unless you do not care to keep any of its data. -----Original Message----- From: R [mailto:rr () conformix com] Sent: Tuesday, October 22, 2002 9:55 PM To: Snort-Users@Lists. Sourceforge. Net Subject: RE: [Snort-users] Schema on Mysql The easiest way is to drop the old DB, create a new one and then create tables using create_mysql: Use these steps: 1. mysql localhost 2. drop database <database_name> 3. create database <database_name> 4. exit 5. mysql <database_name> <create_mysql -----Original Message----- From: snort-users-admin () lists sourceforge net [ <mailto:snort-users-admin () lists sourceforge net> mailto:snort-users-admin () lists sourceforge net] On Behalf Of Brian Nestor Sent: Monday, October 21, 2002 9:26 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Schema on Mysql I am trying to run snort and log the data to MYSQL for use with ACID. I am getting an error. The underlying DB seems to be running and older version of the DB Schema. I am running snort 1.87 and mysql 3.23.52. I used the create_mysql script to create the tables in the DB. Any help would be appreciated. Thanks Brian ------_=_NextPart_001_01C27A95.B0EBEC84 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.50.4912.300" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><SPAN class=453200213-23102002><FONT face=Arial color=#0000ff size=2>What? No, you do not need to drop the entire database just to change a table. </FONT></SPAN></DIV> <DIV><SPAN class=453200213-23102002><FONT face=Arial color=#0000ff size=2>Look into the archives, this has already been discussed. DO NOT drop you</FONT></SPAN></DIV> <DIV><SPAN class=453200213-23102002><FONT face=Arial color=#0000ff size=2>database, unless you do not care to keep any of its data. </FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> R [mailto:rr () conformix com]<BR><B>Sent:</B> Tuesday, October 22, 2002 9:55 PM<BR><B>To:</B> Snort-Users@Lists. Sourceforge. Net<BR><B>Subject:</B> RE: [Snort-users] Schema on Mysql<BR><BR></FONT></DIV> <DIV><FONT face=Arial size=2><FONT size=2> <P>The easiest way is to drop the old DB, create a new one and then create tables using create_mysql:</P> <P>Use these steps:</P> <P>1. mysql localhost</P> <P>2. drop database <database_name></P> <P>3. create database <database_name></P> <P>4. exit</P> <P>5. mysql <database_name> <create_mysql</P> <P> </P> <P> </P> <P>-----Original Message-----</P> <P>From: snort-users-admin () lists sourceforge net [</FONT><A href="mailto:snort-users-admin () lists sourceforge net"><U><FONT color=#0000ff size=2>mailto:snort-users-admin () lists sourceforge net</U></FONT></A><FONT size=2>] On Behalf Of Brian Nestor</P> <P>Sent: Monday, October 21, 2002 9:26 AM</P> <P>To: snort-users () lists sourceforge net</P> <P>Subject: [Snort-users] Schema on Mysql</P> <P> </P> <P>I am trying to run snort and log the data to MYSQL for use with ACID. I am getting an error. The underlying DB seems to be running and older version of the DB Schema. I am running snort 1.87 and mysql 3.23.52. I used the create_mysql script to create the tables in the DB. Any help would be appreciated. Thanks</P> <P>Brian</P> <P> </P></FONT></FONT></DIV></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C27A95.B0EBEC84-- --__--__-- Message: 2 From: "Wayne T Work" <securitygauntlet () snet net> To: "'Tom Morgan'" <RTMorgan () azzincorporated com>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Redhat 8.0 Date: Wed, 23 Oct 2002 09:49:47 -0400 Tom, Can I ask you why you are tired of working on a Win2K platform for Snort? Also, why are you planning to use Red Hat 8.0? Any particular choice of platform? Thanks for your time and efforts Wayne -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Tom Morgan Sent: Wednesday, October 23, 2002 9:15 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Redhat 8.0 Hello, Any issues running snort 1.9.0 on Redhat 8.0? Tired of working with win32 version on Windows 2000. Thanks, Tom ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 3 From: Tom Morgan <RTMorgan () azzincorporated com> To: 'Wayne T Work' <securitygauntlet () snet net>, Tom Morgan <RTMorgan () azzincorporated com>, snort-users () lists sourceforge net Subject: RE: [Snort-users] Redhat 8.0 Date: Wed, 23 Oct 2002 09:24:05 -0500 Wayne, Most of the snort information available pertains to Linux installs. The win32 version does not always have the ancillary contrib files and so forth. No particular reason for RH 8.0 other than that is what I am running. Thanks, Tom -----Original Message----- From: Wayne T Work [mailto:securitygauntlet () snet net] Sent: Wednesday, October 23, 2002 8:50 AM To: 'Tom Morgan'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Redhat 8.0 Tom, Can I ask you why you are tired of working on a Win2K platform for Snort? Also, why are you planning to use Red Hat 8.0? Any particular choice of platform? Thanks for your time and efforts Wayne -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Tom Morgan Sent: Wednesday, October 23, 2002 9:15 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Redhat 8.0 Hello, Any issues running snort 1.9.0 on Redhat 8.0? Tired of working with win32 version on Windows 2000. Thanks, Tom ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 4 From: "Wayne T Work" <securitygauntlet () snet net> To: "'Tom Morgan'" <RTMorgan () azzincorporated com>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Redhat 8.0 Date: Wed, 23 Oct 2002 10:26:06 -0400 This is a multi-part message in MIME format. ------=_NextPart_000_000D_01C27A7E.9943F1B0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Kewl, Just wanted you opinion on the matter. You are right though, most of the contrib stuff is Unix based. I have seen some issues with Red Hat 8.0 on the mailing listsrv. Might want to look at some of the archive info. Seems like most are going back to RH 7.3. Seems to work a bit better especially on the install. (By the way, I have installed did on 8.0 with no problems, ACID, MySQL, Syslog) Good luck -----Original Message----- From: Tom Morgan [mailto:RTMorgan () azzincorporated com] Sent: Wednesday, October 23, 2002 10:24 AM To: 'Wayne T Work'; Tom Morgan; snort-users () lists sourceforge net Subject: RE: [Snort-users] Redhat 8.0 Wayne, Most of the snort information available pertains to Linux installs. The win32 version does not always have the ancillary contrib files and so forth. No particular reason for RH 8.0 other than that is what I am running. Thanks, Tom -----Original Message----- From: Wayne T Work [mailto:securitygauntlet () snet net] Sent: Wednesday, October 23, 2002 8:50 AM To: 'Tom Morgan'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Redhat 8.0 Tom, Can I ask you why you are tired of working on a Win2K platform for Snort? Also, why are you planning to use Red Hat 8.0? Any particular choice of platform? Thanks for your time and efforts Wayne -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Tom Morgan Sent: Wednesday, October 23, 2002 9:15 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Redhat 8.0 Hello, Any issues running snort 1.9.0 on Redhat 8.0? Tired of working with win32 version on Windows 2000. Thanks, Tom ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------=_NextPart_000_000D_01C27A7E.9943F1B0 Content-Type: text/x-vcard; name="Wayne T Work (E-mail).vcf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Wayne T Work (E-mail).vcf" BEGIN:VCARD VERSION:2.1 N:Work;Wayne FN:Wayne T Work (E-mail) ORG:Security Gauntlet Consulting TITLE:Sr. Information Security Consultant TEL;WORK;VOICE:(203) 217-5004 TEL;CELL;VOICE:(203) 217-5004 ADR;WORK:;;56 Applewood Lane;Naugatuck;CT;06770;United States of America LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:56 Applewood = Lane=3D0D=3D0ANaugatuck, CT 06770=3D0D=3D0AUnited States of America EMAIL;PREF;INTERNET:securitygauntlet () snet net REV:20021023T141508Z END:VCARD ------=_NextPart_000_000D_01C27A7E.9943F1B0-- --__--__-- Message: 5 Date: Wed, 23 Oct 2002 16:44:35 +0200 (CEST) From: =?iso-8859-1?q?mario?= <gvnn75 () yahoo it> To: snort-users () lists sourceforge net Subject: [Snort-users] How to centralize the logs? Hi mates, i've a problem! i've 3 snort sensor that are located in the front-end, dmz and Back-end. The sensors send yet the logs to MySQL DB on the PC in the DMZ. Now I want that snort send me mail if ther are red alerts. Can I centralize the logs in the PC in DMZ (using for example Alert_syslog)? Can I use the information that are yet in the DB without re-send log at the pc in DMZ? Tanks Giovanni ______________________________________________________________________ Mio Yahoo!: personalizza Yahoo! come piace a te http://it.yahoo.com/mail_it/foot/?http://it.my.yahoo.com/ --__--__-- Message: 6 Date: Wed, 23 Oct 2002 10:00:21 -0500 From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> To: <snort-users () lists sourceforge net> Cc: <snort-devel () lists sourceforge net> Subject: [Snort-users] Idea for http response code as flag. <This might actually get read if I send it with a subject line.> A group of us that use and monitor snort related stuff meets every so often to talk about 'stuff'... And though I think I've heard this before, I can't seem to find it. So here it is: It would be highly "COOL" if there were a flag that could be set within a rule that identified what type of response was returned from an HTTP daemon. This way, web rules would be able to have many false positives removed, since in the vast majority of cases an non OK (200) message would mean the attempt failed. I realize it may cause problems, because you're requiring the inspection of multiple packets... And some rules that have uricontent actually are responses from servers, so I'm not really sure how all that would work out at this point.... =20 So a rule could be created as such: Original -> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:3;) New -> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; http-status-code:successful; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:3;) Possible groupings for different types of responses: 1. successful one of the 200's and possibly 300's 2. failure any 400 or 500 3. serverror any 500 4. bad any 400 5. redir any 300 (possibly excluding 304) 6. ok 200 (possibly all other 200s) Should probably also allow a comma seperated list of http status codes. And the name for it can easily be different (http-return-code, httpcode, httpreturn, httpstatus...) http://www.w3.org/Protocols/HTTP/HTRESP.html --__--__-- Message: 7 Date: Wed, 23 Oct 2002 11:02:49 -0400 From: "Hughes, Andy" <Andy.Hughes () aquilent com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] pass rules This is a multi-part message in MIME format. ------_=_NextPart_001_01C27AA5.40E24D14 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all New to snort. Have looked high and fairly low for info on pass rules, = and other than references to the fact that I should write them and use = them, and that I should then use the -o argument, I am not finding the = info on how to write one nor exactly where to put the rule if I did = write one. Can someone point me in the direction? TIA, Andy Hughes Systems Engineer Aquilent, Inc=20 (301) 939-1430 1100 West Street Laurel, MD 20707 ------_=_NextPart_001_01C27AA5.40E24D14 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 6.0.5762.3"> <TITLE>pass rules</TITLE> </HEAD> <BODY> <!-- Converted from text/rtf format --> <P><FONT SIZE=3D2 FACE=3D"Arial">Hi all</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">New to snort. Have looked high = and fairly low for info on pass rules, and other than references to the = fact that I should write them and use them, and that I should then use = the -o argument, I am not finding the info on how to write = one nor exactly where to put the rule if I did write one. Can = someone point me in the direction?</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">TIA,</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Andy Hughes</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Systems Engineer</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Aquilent, Inc </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">(301) 939-1430</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">1100 West Street</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Laurel, MD 20707</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C27AA5.40E24D14-- --__--__-- Message: 8 From: Security Admin <SecurityAdmin () hyprotech com> To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Redhat 8.0 Date: Wed, 23 Oct 2002 09:11:02 -0600 Have you investigated a *bsd platform? I messed with Linux and then played with the FreeBSD and OpenBSD platforms. After lots of messing around I find the FreeBSD platform nice and easy, with an optional GUI if you are so inclined. There is a doc at http://www.inetsecurity.info covering the install steps of snort, mysql, apache and acid on freeBSD (actually it covers a central logging console and remote sensors, but you just need to install snort on the console and your working on a single machine) Just my couple pennies worth :o) -----Original Message----- From: Wayne T Work [mailto:securitygauntlet () snet net] Sent: Wednesday, October 23, 2002 8:26 AM To: 'Tom Morgan'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Redhat 8.0 Kewl, Just wanted you opinion on the matter. You are right though, most of the contrib stuff is Unix based. I have seen some issues with Red Hat 8.0 on the mailing listsrv. Might want to look at some of the archive info. Seems like most are going back to RH 7.3. Seems to work a bit better especially on the install. (By the way, I have installed did on 8.0 with no problems, ACID, MySQL, Syslog) Good luck -----Original Message----- From: Tom Morgan [mailto:RTMorgan () azzincorporated com] Sent: Wednesday, October 23, 2002 10:24 AM To: 'Wayne T Work'; Tom Morgan; snort-users () lists sourceforge net Subject: RE: [Snort-users] Redhat 8.0 Wayne, Most of the snort information available pertains to Linux installs. The win32 version does not always have the ancillary contrib files and so forth. No particular reason for RH 8.0 other than that is what I am running. Thanks, Tom -----Original Message----- From: Wayne T Work [mailto:securitygauntlet () snet net] Sent: Wednesday, October 23, 2002 8:50 AM To: 'Tom Morgan'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Redhat 8.0 Tom, Can I ask you why you are tired of working on a Win2K platform for Snort? Also, why are you planning to use Red Hat 8.0? Any particular choice of platform? Thanks for your time and efforts Wayne -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Tom Morgan Sent: Wednesday, October 23, 2002 9:15 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Redhat 8.0 Hello, Any issues running snort 1.9.0 on Redhat 8.0? Tired of working with win32 version on Windows 2000. Thanks, Tom ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 9 Date: Wed, 23 Oct 2002 11:22:27 -0700 From: Alberto Gonzalez <ag-snort () cerebro violating us> To: "Hughes, Andy" <Andy.Hughes () aquilent com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] pass rules http://www.snort.org/docs/writing_rules/ < -- that is basically the "Snort Users Manual" so grab it, you can also grab it via PDF. Hughes, Andy wrote:
Hi all New to snort. Have looked high and fairly low for info on pass rules, and other than references to the fact that I should write them and use them, and that I should then use the -o argument, I am not finding the info on how to write one nor exactly where to put the rule if I did write one. Can someone point me in the direction? TIA, Andy Hughes Systems Engineer Aquilent, Inc (301) 939-1430 1100 West Street Laurel, MD 20707
-- The secret to success is to start from scratch and keep on scratching. --__--__-- Message: 10 Subject: RE: [Snort-users] pass rules Date: Wed, 23 Oct 2002 11:26:29 -0400 From: "Hughes, Andy" <Andy.Hughes () aquilent com> To: "Alberto Gonzalez" <ag-snort () cerebro violating us> Cc: <snort-users () lists sourceforge net> Alberto Thanks for the reply. Perhaps I read right past it, but I did look = there and didn't see the part about how to write pass rules and where to = put them. 'Course, I've never been accused of being particularly adept = at reading... I'll try again. Andy=20 -----Original Message----- From: Alberto Gonzalez [mailto:ag-snort () cerebro violating us] Sent: Wednesday, October 23, 2002 2:22 PM To: Hughes, Andy Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] pass rules http://www.snort.org/docs/writing_rules/ < -- that is basically the=20 "Snort Users Manual" so grab it, you can also grab it via PDF. Hughes, Andy wrote:
Hi all New to snort. Have looked high and fairly low for info on pass rules, =
and other than references to the fact that I should write them and use =
them, and that I should then use the -o argument, I am not finding=20 the info on how to write one nor exactly where to put the rule if I=20 did write one. Can someone point me in the direction? TIA, Andy Hughes Systems Engineer Aquilent, Inc (301) 939-1430 1100 West Street Laurel, MD 20707
--=20 The secret to success is to start from scratch and keep on scratching. --__--__-- Message: 11 Date: Wed, 23 Oct 2002 17:41:54 +0200 From: Jens Krabbenhoeft <tschenz-snort-users () noris net> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] pass rules Hi Andy,
New to snort. Have looked high and fairly low for info on pass rules, and other than references to the fact that I should write them and use them, and that I should then use the -o argument, I am not finding the
The -o is for changing the rule-order, see the manpage for that:
-o Change the order in which the rules are applied to packets. Instead
of being applied in the standard Alert->Pass->Log order, this will apply
them in Pass->Alert->Log order.
info on how to write one nor exactly where to put the rule if I did
pass-rules are normal rules, with the "action" set to pass. You can write them as described in http://www.snort.org/docs/writing_rules/. See chapter 2 there.
write one. Can someone point me in the direction?
The rule has to be in the snort.conf file, or in a file, you include. So you can put the pass rule in all your included rule-files (perhaps local.rules), or if you want to filter out a special sid, just take the appropriate .rules-file, and substitute "alert ..." with "pass ...". E.g., if you are bored by the codered-alerts, just edit sid 1256 to the following in web-iis.rules (note the action is set to pass here): pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:7;) If you like to ignore all TCP traffic from $EXTERNAL_NET to a box 192.168.0.4, it would be: pass tcp $EXTERNAL_NET any -> 192.168.0.4 any There is a document on Erek's webserver, which covers how to ignore things in snort, i think the pass-thingie is described there as well. The URL is http://www.theadamsfamily.net/~erek/snort/ignore.txt but it seems to be offline at the moment. HTH, Jens --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #2401 - 11 msgs Hughes, Andy (Oct 23)