Snort mailing list archives
Re: Rules Question
From: Jacob Steinberger <trefalgar () realitybytes net>
Date: Wed, 12 Aug 2009 14:14:01 -0500
Joel, Worked like a charm. Thank you very much for a shove in the right direction! suppress gen_id 1, sig_id 598, track by_dst, ip #1 suppress gen_id 1, sig_id 598, track by_dst, ip #2 Jacob Quoting Joel Esler <jesler () sourcefire com>:
You are confusing the two. Take a look at the manual for Suppression, or check out the README.thresholding file in the doc/ directory of the Snort tarball. Joel On Wed, Aug 12, 2009 at 2:16 PM, Jacob Steinberger < trefalgar () realitybytes net> wrote:$HOME_NET = [172.19.0.0/16] If I add a suppression, would that still parse correctly? `[ 172.19.0.0/16][!IP#1,!IP#2]`<http://172.19.0.0/16%5D%5B!IP#1,!IP%232%5D%60>, or am I confusing the 'suppression' term with negate? ;) Jacob Quoting Joel Esler <jesler () sourcefire com>: Why don't you leave $HOME_NET as $HOME_NET and use a suppression to tuneout the two servers that you want to eliminate from the alert process? J On Wed, Aug 12, 2009 at 1:24 PM, Jacob Steinberger < trefalgar () realitybytes net> wrote: I'm not sure if I'm thinking about this in the "Snort" way or not, but... I'm receiving a lot of "RPC portmap listing TPC 111" alerts from snort running in IDS mode. We have two different NFS servers which I can attribute 99% of the alarms from (over 4,000 in less than 24 hours). I'd like to be able to specifically ignore requests going to these two servers. I assume this is a rules update, so I tried updating this rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:13;) Instead of $HOME_NET, I tried, [any,!IP#1, !IP#2]. It didn't seem to work as I continued to get the same RPC alarms. Am I not thinking in the proper snort way, or is this just a syntax problem within my host list? Jacob ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler | Sourcefire | Google Voice: 302-223-5974-- Joel Esler | Sourcefire | Google Voice: 302-223-5974
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules Question Jacob Steinberger (Aug 12)
- Re: Rules Question Joel Esler (Aug 12)
- Re: Rules Question Jacob Steinberger (Aug 12)
- Re: Rules Question Joel Esler (Aug 12)
- Re: Rules Question Jacob Steinberger (Aug 12)
- Re: Rules Question Jacob Steinberger (Aug 12)
- Re: Rules Question Joel Esler (Aug 12)