Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Filtering alerts

From: "Marc Quibell" <mquibell () fbfs com>
Date: Tue, 23 Sep 2003 15:44:26 -0500



Huh? well, that's different, but you have to keep updating it with patched
systems, overwritten patches...etc. I have an idea, how about looking at the
outgoing packets for (in this case) Code Red packets? This way, you'll know for
sure you have an infected machine. After all, you don't care about the attempts
coming in, because you really don't know if your servers are infected or hacked!
So then the rule would look like this:

     alert tcp $INTERNAL_NET any -> EXTERNAL_NET 80 <code red schtuff>

Marc

"Nothing clever to say"



Message: 3
Date: Tue, 23 Sep 2003 10:04:01 -0400 (EDT)
From: Erek Adams <erek () snort org>
To: Richard Brackett <rbrackett () securityvolition com>
cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Filtering alerts



On Tue, 23 Sep 2003, Richard Brackett wrote:



I understand what you're saying, but what about a rule I'm interested in
like the IIS Code Red rule. I know that all my current servers are
patched against it so the alerts I get are just noise. I'm loath to
disable the rule though because I never know when someone might put up
an unpatched IIS box and get it infected. So, I'd like to be able to say
"Don't alert when you see this attack to these addresses, but please
alert to any other address." The only way to do it with Snort seems to
be to use pass rules, which are supposed to take more CPU cycles to
process. The BPF rules don't help me with individual SID's, just IP's
and protocols.

Is there an output processing system that will filter alerts before
sending them to mysql for ACID to look at?



Modify the rule and place it in something like 'my.rules'.



   var MY_PATCHED_SERVERS [10.10.10.0/29]



   alert tcp $EXTERNAL_NET any !$MY_PATCHED_SERVERS 80 <stuff>



Cheers!



-----
Erek Adams



  "When things get weird, the weird turn pro."   H.S. Thompson





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: