Re: whitelist rule to 1 ip?

["Crook, Parker" <Parker_Crook () reyrey com>]

Morgan,



Suppression is actually more than just log suppression; it is event suppression, stopping the event from firing under 
the specified circumstance.  So this should suit your needs just fine, however if you wanted to, you could build your 
needs into the rule...



create a new variable:

var whitelist1 !192.168.5.33



and then modify the destination in your rule to use that new variable as the destination:



drop icmp $EXTERNAL_NET any -> $whitelist1 any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; 
content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; 
rev:5;)



Hope this helps,

Parker

  _____

From: Morgan Cox [mailto:morgancoxuk () gmail com]
Sent: Wednesday, March 03, 2010 12:25 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] whitelist rule to 1 ip?



 Hi.

Thank you all for your responses.

By whitelisting I mean prevent a rule being used for an ip address, not just the alert.

As far as I understand the suppression used in the  threshold.conf file only prevents the alerts for the rule, the rule 
will still be active though (i.e the rule will still block whatever to the IP we have suppressed) , it that correct ? 
(I am running inline mode - not that it should matter)

Using an example from this thread I would want to use something like this (i know this syntax will not work)

drop icmp $EXTERNAL_NET any -> *any except* 192.168.5.33 any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; 
content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; 
rev:5;)

I hope this clarifies what I mean

Thanks everybody.

Once again OSS technical support beats the hell out of any companies support.






On 3 March 2010 14:14, Joel Esler <jesler () sourcefire com<mailto:jesler () sourcefire com>> wrote:

I don't understand what you mean by whitelist.

Suppression allows you to turn off alerting for a particular ip.  That's whitelisting. If you want to write a rule for 
ONLY one IP, then you can modify the rule header to only deal with one IP instead of a whole variable.

--
Joel Esler
Sent from my iPhone



On Mar 3, 2010, at 5:11 AM, Morgan Cox <morgancoxuk () gmail com<mailto:morgancoxuk () gmail com>> wrote:

Hi.

I did ask this a while ago but never got a response.

What is the correct way of white-listing a rule for a specific IP .

I know that your can suppress warnings of a rule to an IP using the threshold file, but is thee any way to completely 
whitelist a rule - to 1 IP only?

Any help on this will be appreciated.

Regards

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users