Snort mailing list archives
Re: whitelist rule to 1 ip?
From: Morgan Cox <morgancoxuk () gmail com>
Date: Wed, 3 Mar 2010 18:15:40 +0000
Thank you so much for your help everybody cheers! On 3 March 2010 18:00, Crook, Parker <Parker_Crook () reyrey com> wrote:
Morgan, Suppression is actually more than just log suppression; it is event suppression, stopping the event from firing under the specified circumstance. So this should suit your needs just fine, however if you wanted to, you could build your needs into the ruleā¦ create a new variable: var whitelist1 !192.168.5.33 and then modify the destination in your rule to use that new variable as the destination: drop icmp $EXTERNAL_NET any -> $whitelist1 any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:5;) Hope this helps, Parker ------------------------------ *From:* Morgan Cox [mailto:morgancoxuk () gmail com] *Sent:* Wednesday, March 03, 2010 12:25 PM *To:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] whitelist rule to 1 ip? Hi. Thank you all for your responses. By whitelisting I mean prevent a rule being used for an ip address, not just the alert. As far as I understand the suppression used in the threshold.conf file only prevents the alerts for the rule, the rule will still be active though (i.e the rule will still block whatever to the IP we have suppressed) , it that correct ? (I am running inline mode - not that it should matter) Using an example from this thread I would want to use something like this (i know this syntax will not work) drop icmp $EXTERNAL_NET any -> *any except* 192.168.5.33 any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:5;) I hope this clarifies what I mean Thanks everybody. Once again OSS technical support beats the hell out of any companies support. On 3 March 2010 14:14, Joel Esler <jesler () sourcefire com> wrote: I don't understand what you mean by whitelist. Suppression allows you to turn off alerting for a particular ip. That's whitelisting. If you want to write a rule for ONLY one IP, then you can modify the rule header to only deal with one IP instead of a whole variable. -- Joel Esler Sent from my iPhone On Mar 3, 2010, at 5:11 AM, Morgan Cox <morgancoxuk () gmail com> wrote: Hi. I did ask this a while ago but never got a response. What is the correct way of white-listing a rule for a specific IP . I know that your can suppress warnings of a rule to an IP using the threshold file, but is thee any way to completely whitelist a rule - to 1 IP only? Any help on this will be appreciated. Regards ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- whitelist rule to 1 ip? Morgan Cox (Mar 03)
- Re: whitelist rule to 1 ip? Ray Caparros (Mar 03)
- Re: whitelist rule to 1 ip? Crook, Parker (Mar 03)
- Re: whitelist rule to 1 ip? Joel Esler (Mar 03)
- Re: whitelist rule to 1 ip? Morgan Cox (Mar 03)
- Re: whitelist rule to 1 ip? Crook, Parker (Mar 03)
- Re: whitelist rule to 1 ip? Morgan Cox (Mar 03)
- Re: whitelist rule to 1 ip? Morgan Cox (Mar 03)