Snort mailing list archives
Re: snort + squid proxy
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Sat, 24 Nov 2012 15:23:15 -0500
Leonardo, Since I don't see any responses here, If you need to ignore a single IP address for whatever reason, snort supports loading a BPF or Berkeley packet filter, which is basically a rule stating what traffic will be passed from the system interface to snort to inspect, or ignore by snort entirely. this page is a lifesaver for learning how to write your own BPFs: http://biot.com/capstats/bpf.html as for learning how to integrate a BPF into snort correctly, the snort manual has information on that -- specifically, page 32 of the snort manual specifies how to call a file with your BPF rules specified as well as the -F option to the command line to call a file with your BPF rules as well. Now, for the actual syntax itself. If you want to ignore all traffic where the proxy is the source or the destination, and say the proxy's ip address is 1.1.1.1, create a file and name it something meaningful, such as bpf.conf. and in the file, input the following: not host 1.1.1.1 this reads: "inspect all traffic seen on the interface except where host 1.1.1.1 is the source or the destination; ignore that entirely." if you want to be more specific, you can tell snort to ignore any traffic where the proxy is the source of the traffic enter this: not src host 1.1.1.1 this reads "inspect all traffic seen on the interface, except for traffic where host 1.1.1.1 is the source of the traffic; ignore that entirely" if you want to be tell snort to ignore traffic where the proxy is the destination of the traffic, enter this: not dst host 1.1.1.1 as you may have guessed, this reads: "inspect all traffic seen on this interface, except for traffic where host 1.1.1.1 is the destination of the traffic; ignore that entirely" save your file and using either the -F or the config_bpf directive in the snort.conf, specify the path to the file you just made, and run snort. snort should now be ignoring your proxy. additional note: BPF filters can be as simple or as complex as your imagine allows. this is a very, very basic introduction. When I say we are going to ignore all traffic to or from a given host, I mean that. all traffic, on any port, using any protocol will be ignored. There are ways to make your bpf filters more specific and tell snort to ignore a single port, or port range, etc. but I will leave that to you. for now, this should give you the results you wanted. Sincerely, DA On Thu, Nov 22, 2012 at 1:10 PM, Leonardo Pezente <lmpezente () gmail com>wrote:
well, i what to now how can i set snort to ignore one proxy server in the network? For what i know, snort will generate a lot of false positive because of the proxy. And there is any problem if i put the proxy in the same machine of the ids? ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- when does reality end? when does fantasy begin?
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort + squid proxy Leonardo Pezente (Nov 22)
- Re: snort + squid proxy Tony Robinson (Nov 24)
- Re: snort + squid proxy Jason Haar (Nov 24)
- Re: snort + squid proxy Tony Robinson (Nov 24)
- Re: snort + squid proxy Jason Haar (Nov 24)
- Re: snort + squid proxy Tony Robinson (Nov 24)