RE: Filtering alerts

[Erek Adams <erek () snort org>]

On Tue, 23 Sep 2003, Richard Brackett wrote:

> I understand what you're saying, but what about a rule I'm interested in
> like the IIS Code Red rule. I know that all my current servers are
> patched against it so the alerts I get are just noise. I'm loath to
> disable the rule though because I never know when someone might put up
> an unpatched IIS box and get it infected. So, I'd like to be able to say
> "Don't alert when you see this attack to these addresses, but please
> alert to any other address." The only way to do it with Snort seems to
> be to use pass rules, which are supposed to take more CPU cycles to
> process. The BPF rules don't help me with individual SID's, just IP's
> and protocols.
>
> Is there an output processing system that will filter alerts before
> sending them to mysql for ACID to look at?

Modify the rule and place it in something like 'my.rules'.

        var MY_PATCHED_SERVERS [10.10.10.0/29]

        alert tcp $EXTERNAL_NET any !$MY_PATCHED_SERVERS 80 <stuff>

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users