Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New User

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 01 Mar 2005 16:15:15 -0500
At 07:47 AM 3/1/2005, Jerry Thompson wrote:

1.  How do I stop the alert Web-misc robots.txt access?  I have search
every rule set and cannot find the rule.


Check web-misc.rules again..
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;) 




2.  Is it possible to instruct snort to ignore entire subnets?  For
example, I would love to instruct Snort to ignore my private networks.
Snort is monitoring my DMZ and I'm really only interested in alerts
generated from the public side.
Probably the best thing would be to create a BPF filter for your snort command line. They're the same format as tcpdump 

ie:
snort net not 10.0.0.0/24
would ignore 10.0.0.0/24 as either a source or a destination, and packets to or from that network will be dropped before the snort rules see them (saves CPU time). 


Please don't beat me up for using a Windows version.
That's fine.. however, I would suggest getting yourself a copy of grep for windows so you can use it to search all the rulefiles for a string.. I found your rule with: 

grep "robots.txt" *.rules
It may be a command line utility, but grep really is a fantastically handy tool for stuff like this. Something based on gnu grep would work fine...
Here's one project that ported several gnu unix utility apps as a native windows command-line programs: 
http://unxutils.sourceforge.net/




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: