Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule help

From: Erek Adams <erek () snort org>
Date: Mon, 27 Jan 2003 12:39:46 -0500 (EST)
On Mon, 27 Jan 2003, Gordon Cunningham wrote:


I'm not quite sure how to approach writing or modifying rules for this
scenario.  I have several hosts on my LAN that use SNMP polling for
monitoring.  If I use the default rulebase for "SNMP request udp", these
hosts will continually trigger alerts.  However, I'm not sure how to write
the rule to exclude them but still limit the FROM addresses to my LAN.

In other words, I'd like to get SNMP Request UDP alerts from any hosts on my
LAN (which is a subset of the entire company network) OTHER than the few
I've designated.  How do I designate a subnet and exclude a few hosts from
that subnet?  I tried this - doesn't seem to work with 1.9.0:

alert udp [$HOME_NET,!1.2.4.4,!2.3.4.5,!5.4.3.2] any -> $HOME_NET 161
(msg:"SNMP request udp"; reference:cve,CAN-2002-0012;
reference:cve,CAN-2002-0013; sid:1417; rev:2; classtype:attempted-recon;)


Have a look at this:

        http://www.theadamsfamily.net/~erek/snort/ignore.txt

It was sent to the mailing list a while back, and it shows you two ways to
do that.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: