Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Rule Question

From: Erick Mechler <emechler () techometer net>
Date: Mon, 17 Feb 2003 16:56:12 -0800
:: I am trying to stop an alert on specific rules against specific http
:: servers.  How is this done?  Assume the alert starts with:  alert tcp
:: $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS.....  if http_servers =
:: home_network, how do I stop this from alerting on certain servers?  Can
:: I use a list of ip addresses for the HTTP_SERVERS variable?

Probably the most effective way to do this is to create as many
$HTTP_SERVER variables as you need, and apply the appropriate variable to
each web-specific rule.  Not very elegant, but it will work.  Or, you could
start playing with pass rules for the specific web servers you're not
concerned with, but more alerts will slow down the application.

Cheers - Erick


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: