Snort mailing list archives
Exclude IP Subnets and a IP address from a Specific rule
From: "Matt Brichetto" <m_brichetto () cuinterface com>
Date: Fri, 30 Aug 2013 11:33:55 -0400
Hello, This is a two part question for two different topics that are related to each other. The first part is I am looking to see the best way to exclude a IP address from a specific rule in snort. The second part is how to exclude specific external subnets from being scanned as they flow into the snort box. My setup is running on Windows Server 2008 64 bit. I used the WinSnort.com website for their guide how to install and set everything up. I am also using pulled pork to auto update my rules or signatures. I am new to the Snort setup, so please bear with me as I may ask silly questions. Now onto the specific scenarios I have. The first setup I need to do is exclude a internal IP address from this specific rule below because it flows into spam filter of ours we receive a ton of alerts from it that are not needed. The IP address of the device is 192.168.22.9 for a our local subnet. (Rule is below) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise client IMG SRC buffer overflow"; flow:to_server,established; content:"<IMG"; nocase; content:"SRC"; distance:0; nocase; isdataat:244,relative; pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; metadata:policy security-ips drop, service smtp; reference:bugtraq,26875; reference:cve,2007-6435; classtype:attempted-user; sid:13364; rev:8;) Here are the two options after doing some research that I think may work, but I would like to hear back from someone with experience in this. What I don't know is if I edit the winids.rules file for a specific rule, will Pulled Pork just write over it. First edit the existing rule in the winids.rules folder with a exclude "!" argument so it may look like this. alert tcp ![192.168.41.9/24] $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise client IMG SRC bufferoverflow"; flow:to_server,established; content:"<IMG"; nocase; content:"SRC"; distance:0; nocase; isdataat:244,relative;pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; metadata:policy security-ips drop, service smtp; reference:bugtraq,26875;reference:cve,2007-6435; classtype:attempted-user; sid:13364; rev:8;) Another thought I had was adding a pass rule above the original rule just with the specific IP address in the winids.rules file. As well as taking out the $External_NET argument because it is just a new rule. pass tcp [192.168.41.9/24] any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise client IMG SRC buffer overflow";flow:to_server,established; content:"<IMG"; nocase; content:"SRC"; distance:0; nocase; isdataat:244,relative; pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; metadata:policy security-ips drop, service smtp; reference:bugtraq,26875; reference:cve,2007-6435; classtype:attempted-user; sid:13364; rev:8;) The second setup is excluding certain external IP subnets altogether from being scanned. What I want is that all the external IPs that come in still be seen but have Snort ignore certain external subnets that I specify. My thought process is either somehow modify the External_Net field in the Snort.conf file. I also thought is there to create a local file somehow that would just exclude the specific IP address I want snort to ignore. Through all of the reading I have done it doesn't seem to be a defined way to do this, but I cannot be the only who has needed to exclude IP addresses from certain places in Snort. Thanks in advance for any help, Matt This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic information about individuals and businesses subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Exclude IP Subnets and a IP address from a Specific rule Matt Brichetto (Aug 30)
- Re: Exclude IP Subnets and a IP address from a Specific rule James Lay (Aug 30)
- Re: Exclude IP Subnets and a IP address from a Specific rule Joel Esler (Aug 30)