Re: How to ingnore a specific host(s) ?

[Shawn Duffy <pakkit () codepiranha org>]

You may want to change your $EXTERNAL_NET variable from any to
[any,!$WHATEVER_IP_YOU_WANT]  and then make sure that whatever rule is
triggering is using the variable $EXTERNAL_NET instead of "any"

shawn
pakkit at codepiranha dot org

On Fri, 30 May 2003 CGhercoias () TWEC COM wrote:

> Hello everybody,
>
> I have installed snort on several machines and everything works good.
> But,... I have one of the sensors listening in the _internal_ network , and
> is located on the same segment with the _management_ server (ACID, mysql,
> php, Snortcenter, etc).
> Whenever an alert is triggered , let's say someone have received an spam
> email with porn in it, the event gets written in the database.
> I use Snort Alert Monitor (SAM) to be notified in real time if something is
> happening.
> I like the semaphore and the voice of HAL ;o) , and is pretty cool to be
> notified like this, rather that going in ACID every minute or so.
>
> Now, if I browse in ACID to see that event, payload, etc. another alert is
> triggered , this time because of me -- the Acid is sending me the page with
> the "malicious" content to my browser (because I'm browsing from my
> workstation the ACID), the _internal_ agent sees that and another alert gets
> written in the database......and so on.
>
> This is the first part of my snort.eth1.conf:
>
> #---------------------------------------------------------------------------
> ----
> # Snort Configuration file for < internal >
> # Created with SnortCenter v1.0 RC1 < http://users.pandora.be/larc/ >
>
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS
> [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
> 2.161.0/24,64.12.163.
> 0/24,205.188.5.0/24,205.188.9.0/24]
> var HOME_NET [any,!177.1.0.84/32,!177.1.0.94/32]
> var TELNET_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var DNS_SERVERS [177.1.0.10/32,177.1.0.19/32]
> # Next variable automatic added by SnortCenter, used in some rule(s).
> var EXTERNAL_NET any
> #
> output database: log, mysql, user=snort password=Sn0w.Strm dbname=snort
> host=177.1.0.94 port=3306 sensor_name=internal detail=full
> #---------------------------------DATA
> SKIPS----------------------------------------
>
> Although I've added in var HOME_NET [any,!177.1.0.84/32,!177.1.0.94/32]
> these two hosts to be explicitly ignored, I've searched documentation, I've
> seen an answer from Erek Adams, whatever I tried, the thing is not working.
>
> What is missing, what I'm doing wrong?
>
> Thank you in advance for your help,
>
> Catalin Ghercoias
> mailto:cghercoias () twec com
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: eBay
> Get office equipment for less on eBay!
> http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users