Snort mailing list archives
Re: How to ingnore a specific host(s) ?
From: Shawn Duffy <pakkit () codepiranha org>
Date: Fri, 30 May 2003 14:36:56 -0400 (EDT)
You may want to change your $EXTERNAL_NET variable from any to [any,!$WHATEVER_IP_YOU_WANT] and then make sure that whatever rule is triggering is using the variable $EXTERNAL_NET instead of "any" shawn pakkit at codepiranha dot org On Fri, 30 May 2003 CGhercoias () TWEC COM wrote:
Hello everybody, I have installed snort on several machines and everything works good. But,... I have one of the sensors listening in the _internal_ network , and is located on the same segment with the _management_ server (ACID, mysql, php, Snortcenter, etc). Whenever an alert is triggered , let's say someone have received an spam email with porn in it, the event gets written in the database. I use Snort Alert Monitor (SAM) to be notified in real time if something is happening. I like the semaphore and the voice of HAL ;o) , and is pretty cool to be notified like this, rather that going in ACID every minute or so. Now, if I browse in ACID to see that event, payload, etc. another alert is triggered , this time because of me -- the Acid is sending me the page with the "malicious" content to my browser (because I'm browsing from my workstation the ACID), the _internal_ agent sees that and another alert gets written in the database......and so on. This is the first part of my snort.eth1.conf: #--------------------------------------------------------------------------- ---- # Snort Configuration file for < internal > # Created with SnortCenter v1.0 RC1 < http://users.pandora.be/larc/ > var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 2.161.0/24,64.12.163. 0/24,205.188.5.0/24,205.188.9.0/24] var HOME_NET [any,!177.1.0.84/32,!177.1.0.94/32] var TELNET_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var DNS_SERVERS [177.1.0.10/32,177.1.0.19/32] # Next variable automatic added by SnortCenter, used in some rule(s). var EXTERNAL_NET any # output database: log, mysql, user=snort password=Sn0w.Strm dbname=snort host=177.1.0.94 port=3306 sensor_name=internal detail=full #---------------------------------DATA SKIPS---------------------------------------- Although I've added in var HOME_NET [any,!177.1.0.84/32,!177.1.0.94/32] these two hosts to be explicitly ignored, I've searched documentation, I've seen an answer from Erek Adams, whatever I tried, the thing is not working. What is missing, what I'm doing wrong? Thank you in advance for your help, Catalin Ghercoias mailto:cghercoias () twec com ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to ingnore a specific host(s) ? CGhercoias (May 30)
- Re: How to ingnore a specific host(s) ? Erek Adams (May 30)
- Re: How to ingnore a specific host(s) ? Shawn Duffy (May 30)
- Re: How to ingnore a specific host(s) ? Edin Dizdarevic (May 30)
- <Possible follow-ups>
- RE: How to ingnore a specific host(s) ? CGhercoias (May 30)