Snort mailing list archives
Re: Rule to exclude a specific IP in Snort
From: "Nordwall, Douglas J" <doug () pnl gov>
Date: Mon, 20 Oct 2003 08:33:02 -0700
This should work, assuming that the sig you are looking at comes from gen_id 2. I'm not a snort expert by any means, but as I understand it, gen_is refers to where the alert is coming from, not so much a sequence number. Try changing the second to gen_id 1 and see if it works. On 10/16/03 4:34 AM, "grant" <grant () macaulayconsultants co uk> wrote:
I am trying to create an exclusion list for multiply machines and rules. I have created a file called whiteSRC.txt and included this in my snort.conf, I can get it to work with one machine. I am having difficulty with multiply entries. Is there any information or documentation I can get anywhere? suppress gen_id 1, sig_id 409, track by_src, ip 172.30.234.56 This line works fine! suppress gen_id 2, sig_id 1419, track by_dst, ip 172.28.71.60 Is this right? I made this up!! Thanks Grant Macaulay Hey Chris, What does the different part of that instruction mean?: suppress gen_id 1, <-- what does this mean? sig_id 527, track by_src, <-- And this? ip 192.168.10.37 Thanks Juan M. Rivera Rivera IT Director American University of P.R. -----Original Message----- From: Chris Green [mailto:cmg () sourcefire com] Sent: Thursday, October 09, 2003 9:28 AM To: Juan M. Rivera Cc: Snort Users List Subject: Re: [Snort-users] Rule to exclude a specific IP in Snort "Juan M. Rivera" <jrivera () aupr edu> writes:I'm trying to modify the following Snort Rule: Alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:4;) I'm getting an alert on just one ip address and I know what the problemis.So I'm trying to modify this rule so that it takes into account anyinternalip address except 192.168.10.37.Don't bother with changing the rule anymore for handling that case. suppress gen_id 1, sig_id 527, track by_src, ip 192.168.10.37 in snort 2.0.2. -- Chris Green <cmg () sourcefire com> Warning: time of day goes back, taking countermeasures. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users N?!@??@zf????h??+y?? ?????r @??+j`J??q?h????@??-?
/z?;?
4??zp???x?7???I????)??0??!j??B?0H
k???x????'??'$?x!??@??(??~?
?x ??.??+????iJz+??z?????x?+-Jz+??z? ?+-?(??~??x ?????DK?r???.?????b?{??.????m???i???+-?(??~??x
??b
????+-?w?????.???Jz+??z??+-??+?m????0?r?????r????b??i? b?,??????
-- ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: EXTERNAL_NET definition in Snort, (continued)
- Re: EXTERNAL_NET definition in Snort Erek Adams (Oct 09)
- Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
- RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
- RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 14)
- RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- RE: Rule to exclude a specific IP in Snort Hutchinson, Andrew (Oct 09)
- RE: Rule to exclude a specific IP in Snort Jason (Oct 09)
- RE: Rule to exclude a specific IP in Snort Grime, Richard S (Oct 09)
- FW: Rule to exclude a specific IP in Snort grant (Oct 16)
- Re: FW: Rule to exclude a specific IP in Snort Erek Adams (Oct 16)
- Re: Rule to exclude a specific IP in Snort Nordwall, Douglas J (Oct 20)