Snort mailing list archives
HOME_NET, EXTERNAL_NET, var negatation and unwanted triggered rules
From: Denis Sacchet <mailinglist () kikamedical net>
Date: Wed, 16 Aug 2006 17:21:22 +0200
Hi everybody, I try to setup a Snort installation onto my firewall, but in a standard one, too much rules triggered, so I am trying to reduce unwanted triggered rules to the minimum to only get the serious security problems. To do that, I enable only one rules set (snmp.rules) because this rules set triggered a lot of time because of my nagios/cacti monitoring servers using snmp v2, and try to set up EXTERNAL_NET and HOME_NET to avoid logging of SNMP message from local workstation to local workstation. To do that, I set up as following : var EXTERNAL_NET [!10.0.0.0/8] var HOME_NET [10.0.0.0/8] include $RULE_PATH/snmp.rules and also : var EXTERNAL_NET ![10.0.0.0/8] var HOME_NET [10.0.0.0/8] include $RULE_PATH/snmp.rules and comment all the preprocessor and all the other rules files. But I still got the following type of alert : ID < <https://saturne.kika.loc/base/base_qry_main.php?caller=&num_result_rows=5121¤t_view=0&sort_order=sig_a> Signature > <https://saturne.kika.loc/base/base_qry_main.php?caller=&num_result_rows=5121¤t_view=0&sort_order=sig_d> < <https://saturne.kika.loc/base/base_qry_main.php?caller=&num_result_rows=5121¤t_view=0&sort_order=time_a> Timestamp > <https://saturne.kika.loc/base/base_qry_main.php?caller=&num_result_rows=5121¤t_view=0&sort_order=time_d> < <https://saturne.kika.loc/base/base_qry_main.php?caller=&num_result_rows=5121¤t_view=0&sort_order=sip_a> Source Address > <https://saturne.kika.loc/base/base_qry_main.php?caller=&num_result_rows=5121¤t_view=0&sort_order=sip_d> < <https://saturne.kika.loc/base/base_qry_main.php?caller=&num_result_rows=5121¤t_view=0&sort_order=dip_a> Dest. Address > <https://saturne.kika.loc/base/base_qry_main.php?caller=&num_result_rows=5121¤t_view=0&sort_order=dip_d> < <https://saturne.kika.loc/base/base_qry_main.php?caller=&num_result_rows=5121¤t_view=0&sort_order=proto_a> Layer 4 Proto > <https://saturne.kika.loc/base/base_qry_main.php?caller=&num_result_rows=5121¤t_view=0&sort_order=proto_d> #0-(1-3835) <https://saturne.kika.loc/base/base_qry_alert.php?submit=%230-%281-3835%29&sort_order=> [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013>] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0013>] [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012>] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0012>] [bugtraq <http://www.securityfocus.com/bid/4132>] [bugtraq <http://www.securityfocus.com/bid/4089>] [bugtraq <http://www.securityfocus.com/bid/4088>] [local <https://saturne.kika.loc/base/signatures/1417.txt>] [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1417>] SNMP request udp 2006-08-16 16:35:03 10.70.30.4 <https://saturne.kika.loc/base/base_stat_ipaddr.php?ip=10.70.30.4&netmask=32>:35464 10.40.0.2 <https://saturne.kika.loc/base/base_stat_ipaddr.php?ip=10.40.0.2&netmask32>:161 UDP #1-(1-3836) <https://saturne.kika.loc/base/base_qry_alert.php?submit=%231-%281-3836%29&sort_order=> [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013>] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0013>] [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012>] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0012>] [bugtraq <http://www.securityfocus.com/bid/4132>] [bugtraq <http://www.securityfocus.com/bid/4089>] [bugtraq <http://www.securityfocus.com/bid/4088>] [local <https://saturne.kika.loc/base/signatures/1417.txt>] [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1417>] SNMP request udp 2006-08-16 16:35:03 10.70.30.4 <https://saturne.kika.loc/base/base_stat_ipaddr.php?ip=10.70.30.4&netmask=32>:35464 10.40.0.2 <https://saturne.kika.loc/base/base_stat_ipaddr.php?ip=10.40.0.2&netmask32>:161 UDP #2-(1-3837) <https://saturne.kika.loc/base/base_qry_alert.php?submit=%232-%281-3837%29&sort_order=> [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013>] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0013>] [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012>] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0012>] [bugtraq <http://www.securityfocus.com/bid/4132>] [bugtraq <http://www.securityfocus.com/bid/4089>] [bugtraq <http://www.securityfocus.com/bid/4088>] [local <https://saturne.kika.loc/base/signatures/1417.txt>] [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1417>] SNMP request udp 2006-08-16 16:35:03 10.70.30.4 <https://saturne.kika.loc/base/base_stat_ipaddr.php?ip=10.70.30.4&netmask=32>:35464 10.70.20.2 <https://saturne.kika.loc/base/base_stat_ipaddr.php?ip=10.70.20.2&netmask32>:161 UDP #3-(1-3838) <https://saturne.kika.loc/base/base_qry_alert.php?submit=%233-%281-3838%29&sort_order=> [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013>] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0013>] [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012>] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0012>] [bugtraq <http://www.securityfocus.com/bid/4132>] [bugtraq <http://www.securityfocus.com/bid/4089>] [bugtraq <http://www.securityfocus.com/bid/4088>] [local <https://saturne.kika.loc/base/signatures/1417.txt>] [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1417>] SNMP request udp 2006-08-16 16:35:04 10.70.30.4 <https://saturne.kika.loc/base/base_stat_ipaddr.php?ip=10.70.30.4&netmask=32>:35464 10.70.20.2 <https://saturne.kika.loc/base/base_stat_ipaddr.php?ip=10.70.20.2&netmask32>:161 UDP in my BASE frontend. Could someone help to figure out how to configure my NET variable to avoid such alert to be logged. Thanks in advance Best regards Denis Sacchet ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HOME_NET, EXTERNAL_NET, var negatation and unwanted triggered rules Denis Sacchet (Aug 16)
- Re: HOME_NET, EXTERNAL_NET, var negatation and unwanted triggered rules Briggs, Bruce (Aug 16)