Snort mailing list archives
Re: Overriding alert rules with pass rules for specific cases
From: Kimi Ushida <kimi () kimiushida com>
Date: Fri, 09 May 2014 10:04:24 -0700
The vuln scanner runs continuously throughout the day (and night), so unfortunately suppressing events wouldn't be an option. On 5/9/2014 5:39 AM, Joel Esler (jesler) wrote:
On May 9, 2014, at 12:10 AM, Kimi Ushida <kimi () kimiushida com<mailto:kimi () kimiushida com>> wrote: I have a question about writing a rule which in specific cases will pass (not alert/drop) traffic where a VRT rule will otherwise alert on. I'd like to leave the original VRT rule enabled as-is (for example, SID 25975, revision 2) since it's generally reliable. However, this falses in cases where we have a vuln scanner that we'd like to pass through without dropping, but this scanner's source IP may be obfuscated (such as through NAT, etc.) and from the perspective of the sensor could potentially share this same source IP with actual malicious sources. Therefore using BPF wouldn't work since I have no way of distinguishing in the IP header between good and evil clients. I figured this is simply writing an equivalent pass rule keeping all of the original rule options in place, but have an additional content match which singles out the legitimate traffic we want to pass (for my case, the legit vuln scanner traffic will be seen with a unique content string which I can flag against). However, I'm apparently not doing something right and I'm guessing this is attributed to the "fast_pattern:only;" part in the original VRT rule. Perhaps I need a refresher on the fast-pattern matching system to understand where I'm going wrong. Sounds like what you want to do a suppression. Perhaps only for the time when the vuln scanner is running? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team
------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Overriding alert rules with pass rules for specific cases Kimi Ushida (May 08)
- Re: Overriding alert rules with pass rules for specific cases Joel Esler (jesler) (May 09)
- Re: Overriding alert rules with pass rules for specific cases Kimi Ushida (May 09)
- Re: Overriding alert rules with pass rules for specific cases Joel Esler (jesler) (May 09)