Snort mailing list archives
Re: what is the command line to use ignore.rules - pass ip
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 22 Jan 2016 17:23:57 +0000
Can you run snort with "-Acmg -H -U -k none" and see if you get any alerts with this address? I have a rule with " alert tcp $HOME_NET any -> any any (sid:1000001; msg:"TEST")" using your ' ipvar HOME_NET [192.168.1.66/24]' I don't get any alerts with 0.0.0.0 in them. I do get a TON of these (see below I clipped a bunch off) which suggests the output logging is summarizing. Please send us your conf file. [root@onetwo snort-2.9.8.0-build_229]# ./bin/snort -c etc/ZERO.conf -r etc/ZERO.pcap -Acmg -H -U -k none -q | grep -i TEST 01/22-16:38:11.806576 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:11.896482 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:11.896600 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.184956 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.218249 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.226693 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.245704 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80 01/22-16:38:12.246559 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80 01/22-16:38:12.267310 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36528 -> 194.9.94.80:80 01/22-16:38:12.345081 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.354908 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.360292 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.382499 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.384308 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80 01/22-16:38:12.384343 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80 01/22-16:38:12.384409 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80 01/22-16:38:12.384512 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80 01/22-16:38:12.385764 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36528 -> 194.9.94.80:80 01/22-16:38:12.437377 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.438300 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.500275 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80 01/22-16:38:12.501804 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80 01/22-16:38:12.501969 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.508686 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80 01/22-16:38:12.526571 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80 01/22-16:38:12.537222 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36528 -> 194.9.94.80:80 01/22-16:38:12.548196 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80 01/22-16:38:12.691885 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.700358 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.716337 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.719270 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.721788 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.724314 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.727436 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: Al Lewis (allewi) Sent: Friday, January 22, 2016 12:11 PM To: hernani coelho; snort-users () lists sourceforge net Subject: Re: [Snort-users] what is the command line to use ignore.rules - pass ip There is no traffic in the pcap with a 0.0.0.0 address which suggests you have something incorrectly set in your conf file Or You are viewing the alerts from another tool that is summarizing addresses. I used the home_net variable you provided and I don't get any alerts on the commandline with an address of '0.0.0.0' Please send me your conf file. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: hernani coelho [mailto:hernani_coelho () msn com] Sent: Friday, January 22, 2016 11:52 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] what is the command line to use ignore.rules - pass ip i send pcap file of traffic to your private email if you cannot open that file tell me. On 22-01-2016 15:06, Al Lewis (allewi) wrote:
Please provide a pcap of the traffic. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: hernani coelho [mailto:hernani_coelho () msn com] Sent: Friday, January 22, 2016 9:23 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] what is the command line to use ignore.rules - pass ip alerts are in dst ip 0.0.0.0 or source src 64.4.8.0 or src 64.4.8.1 On 22-01-2016 13:54, Al Lewis (allewi) wrote:Can you provide a pcap of the traffic you are having problems with?in snort, download in pcap format, shows nothingHave you tried suppressing the IP's you don't want?i have tried this ---> suppress gen_id 1, sig_id 1852, track by_src, ip 0.0.0.0 suppress gen_id 1, sig_id 1852, track by_src, ip 64.4.8.0 suppress gen_id 1, sig_id 1852, track by_src, ip 64.4.8.1 suppress gen_id 1, sig_id 1852, track by_dst, ip 0.0.0.0Do you have your home_net setup correctly?ipvar HOME_NET [192.168.1.66/24]Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: hernani coelho [mailto:hernani_coelho () msn com] Sent: Friday, January 22, 2016 8:45 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] what is the command line to use ignore.rules - pass ip if i put in command line this ---> /usr/local/bin/snort -q -u snort -g snort -O /etc/snort/rules/ignore.rules -c /etc/snort/snort.conf -i wlan0 snort no works On 22-01-2016 13:30, hernani coelho wrote:hello, i have this command line --->/usr/local/bin/snort -q -u snort -g snort -O -c /etc/snort/snort.conf -i wlan0 to work with rule pass ip on file /etc/snort/rules/ignore.rules i have put in file this --> pass ip 64.4.8.0 any -> any any (msg:"Ignore this host";sid:1000001;rev:1;) pass ip 64.4.8.1 any -> any any (msg:"Ignore this host";sid:1000001;rev:1;) pass ip 0.0.0.0 any -> any any (msg:"Ignore this host";sid:1000001;rev:1;) is this correct?? snort show ip's in same way. can someone help me?? i tried BPF file but no work, the ip 0.0.0.0 is show anyway -------------------------------------------------------------------- - - -------- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!--------------------------------------------------------------------- - -------- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!---------------------------------------------------------------------- -------- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- what is the command line to use ignore.rules - pass ip hernani coelho (Jan 22)
- Re: what is the command line to use ignore.rules - pass ip hernani coelho (Jan 22)
- Re: what is the command line to use ignore.rules - pass ip Al Lewis (allewi) (Jan 22)
- Re: what is the command line to use ignore.rules - pass ip hernani coelho (Jan 22)
- Re: what is the command line to use ignore.rules - pass ip Al Lewis (allewi) (Jan 22)
- Re: what is the command line to use ignore.rules - pass ip hernani coelho (Jan 22)
- Re: what is the command line to use ignore.rules - pass ip hernani coelho (Jan 22)
- Re: what is the command line to use ignore.rules - pass ip hernani coelho (Jan 22)
- Re: what is the command line to use ignore.rules - pass ip Al Lewis (allewi) (Jan 22)
- Re: what is the command line to use ignore.rules - pass ip Al Lewis (allewi) (Jan 22)
- Message not available
- Re: what is the command line to use ignore.rules - pass ip Al Lewis (allewi) (Jan 22)
- Re: what is the command line to use ignore.rules - pass ip hernani coelho (Jan 25)
- Re: what is the command line to use ignore.rules - pass ip wkitty42 (Jan 25)
- Re: what is the command line to use ignore.rules - pass ip hernani coelho (Jan 25)
- Re: what is the command line to use ignore.rules - pass ip Al Lewis (allewi) (Jan 22)
- Re: what is the command line to use ignore.rules - pass ip hernani coelho (Jan 22)
- Re: what is the command line to use ignore.rules - pass ip hernani coelho (Feb 12)