Snort mailing list archives

Exclude IP Subnets and a IP address from a Specific rule

From: "Matt Brichetto" <m_brichetto () cuinterface com>
Date: Fri, 30 Aug 2013 11:33:55 -0400

Hello, 

This is a two part question for two different topics that are related to
each other. The first part is I am looking to see the best way to
exclude a IP address from a specific rule in snort. The second part is
how to exclude specific external subnets from being scanned as they flow
into the snort box. 

 

My setup is running on Windows Server 2008 64 bit. I used the
WinSnort.com website for their guide how to install and set everything
up. I am also using pulled pork to auto update my rules or signatures.
I am new to the Snort setup, so please bear with me as  I may ask silly
questions. Now onto the specific scenarios I have.


The first setup I need to do is exclude a internal IP address from this
specific rule below because it flows into spam filter of ours we receive
a ton of alerts from it that are not needed.  The IP address of the
device is 192.168.22.9 for a our local subnet. (Rule is below)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell
GroupWise client IMG SRC buffer overflow"; flow:to_server,established;
content:"<IMG"; nocase; content:"SRC"; distance:0; nocase;
isdataat:244,relative; pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i";
metadata:policy security-ips drop, service smtp;
reference:bugtraq,26875; reference:cve,2007-6435;
classtype:attempted-user; sid:13364; rev:8;) 

Here are the two options after doing some research that I think may
work, but I would like to hear back from someone with experience in
this. What I don't know is if I edit the winids.rules file for a
specific rule, will Pulled Pork just write over it. 

First edit the existing rule in the winids.rules folder with a exclude
"!" argument so it may look like this. 

alert tcp ![192.168.41.9/24] $EXTERNAL_NET any -> $SMTP_SERVERS 25
(msg:"SERVER-MAIL Novell GroupWise client IMG SRC bufferoverflow";
flow:to_server,established; content:"<IMG"; nocase; content:"SRC";
distance:0; nocase;
isdataat:244,relative;pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i";
metadata:policy security-ips drop, service smtp;
reference:bugtraq,26875;reference:cve,2007-6435;
classtype:attempted-user; sid:13364; rev:8;) 


Another thought I had was adding a pass rule above the original rule
just with the specific IP address in the winids.rules file. As well as
taking out the $External_NET argument because it is just a new rule. 


pass tcp [192.168.41.9/24] any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL
Novell GroupWise client IMG SRC buffer
overflow";flow:to_server,established; content:"<IMG"; nocase;
content:"SRC"; distance:0; nocase; isdataat:244,relative;
pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; metadata:policy security-ips
drop, service smtp; reference:bugtraq,26875; reference:cve,2007-6435;
classtype:attempted-user; sid:13364; rev:8;) 



The second setup is excluding certain external IP subnets altogether
from being scanned. What I want is that all the external IPs that come
in still be seen but have Snort ignore certain external subnets that I
specify. My thought process is either somehow modify the External_Net
field in the Snort.conf file. I also thought is there to create a local
file somehow that would just exclude the specific IP address I want
snort to ignore. 

 

Through all of the reading I have done it doesn't seem to be a defined
way to do this, but I cannot be the only who has needed to exclude IP
addresses from certain places in Snort.

Thanks in advance for any help,

 

Matt



This communication may contain privileged and/or confidential information. It is intended solely for the use of the 
addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or 
using any of this information. If you received this communication in error, please contact the sender immediately and 
destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic 
information about individuals and businesses subject to the restrictions of the Gramm-Leach-Bliley Act. You may not 
directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for 
which you are receiving the information.

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Exclude IP Subnets and a IP address from a Specific rule Matt Brichetto (Aug 30)
- Re: Exclude IP Subnets and a IP address from a Specific rule James Lay (Aug 30)
- Re: Exclude IP Subnets and a IP address from a Specific rule Joel Esler (Aug 30)