Snort mailing list archives
Re: New User
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 01 Mar 2005 16:15:15 -0500
At 07:47 AM 3/1/2005, Jerry Thompson wrote:
1. How do I stop the alert Web-misc robots.txt access? I have search every rule set and cannot find the rule.
Check web-misc.rules again..web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;)
2. Is it possible to instruct snort to ignore entire subnets? For example, I would love to instruct Snort to ignore my private networks. Snort is monitoring my DMZ and I'm really only interested in alerts generated from the public side.
Probably the best thing would be to create a BPF filter for your snort command line. They're the same format as tcpdump
ie: snort net not 10.0.0.0/24would ignore 10.0.0.0/24 as either a source or a destination, and packets to or from that network will be dropped before the snort rules see them (saves CPU time).
Please don't beat me up for using a Windows version.
That's fine.. however, I would suggest getting yourself a copy of grep for windows so you can use it to search all the rulefiles for a string.. I found your rule with:
grep "robots.txt" *.rulesIt may be a command line utility, but grep really is a fantastically handy tool for stuff like this. Something based on gnu grep would work fine...
Here's one project that ported several gnu unix utility apps as a native windows command-line programs:
http://unxutils.sourceforge.net/ ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New User Jerry Thompson (Mar 02)
- Re: New User Matt Kettler (Mar 02)