Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Whitelisting

From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 7 Feb 2013 16:38:54 +0000
You could do a BPF filter to have snort ignore the traffic (The bpf
file is referenced in the command line options) , or you could
whitelist (threshold) certain alerts via source or destination (using
threshold.conf). You could also write pass rules for certain alerts,
changing the IP's to make sure that specific traffic doesn't alert
(copy the alert to local.rules, change alert to pass and change the IP
variables).

Lots of options.


On Thu, Feb 7, 2013 at 4:25 PM, Erik D. Sciortino <ESciortino () abim org> wrote:

Good Morning All,



I want to start tuning my Snort install so I can cut down on some of the
chatter currently being seen in the logs. I would like to use whitelisting
to help eliminate some of the legitimate server traffic chatter that I am
seeing in Snort. Can I create a Whitelist rule for a specific
system-to-system interaction (i.e. the IP traffic going between my BlueCoat
ProxySG and ProxyAV) or do whitelist rules only work based on Source IP
(i.e. I could whitelist the IP address of my ProxySG only). If it is
possible to create a whitelist rule for system-to-system interaction, would
it be possible for someone to provide me with some sample nomenclature that
I could follow?



Thanks in advance!



Erik



Erik D. Sciortino, CISSP, CISM, CIPP

Director of Data Security



American Board of Internal Medicine

510 Walnut Street | Suite 1700 | Philadelphia, PA 19106

P: 215.446.3525 | C: 215.847.2207 | E: esciortino () abim org

www.ABIM.org

P Save Paper - Do you really need to print this e-mail?





________________________________
CONFIDENTIALITY NOTICE: This message and any attachments may contain
confidential or proprietary information and are only for the use of the
intended recipient(s) named above. If you are not the intended recipient or
an agent responsible for delivering it to the intended recipient, please
notify us immediately by replying to this email and delete or destroy the
original and all copies thereof. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful.
________________________________

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: