Snort mailing list archives

RE: Rule to exclude a specific IP in Snort

From: "Jason" <snort-users () tcpipbitch net>
Date: Thu, 9 Oct 2003 09:34:19 -0400 (EDT)

Using bpf filters like this is not really scalable on any network. 
Everytime you want to update a bpf filter you would have to rerun the
command and add the filter options.... that can get to be a really long
command line.

The better option would be to use the -F switch on snort, and specify a
file that will contain your bpf filters..
example of my bpf.filter file

more /usr/local/etc/bpf.rules

not (host xxx.xxx.79.243 or host xxx.xxx.81.38 or host xxx.xxx.79.246)
and not (src host xxx.xxx.101.240 and dst host xxx.xxx.179.58)
and not (src host xxx.xxx.25.101 and dst port 21)
and not ((src host xxx.xxx.101.233 and src port 1521) and dst host
xxx.xxx.179.95)
and not (src host xxx.xxx.2.102 and dst port 161)
and not ((src host xxx.xxx.179.70) and (dst host xxx.xxx.239.50 and dst
port 135))

You can obviously add more advanced options if you wish, however, it will
allow you to keep better control of what you are filtering out, and easier
to read, add and remove filters.  Just HUP snort after editing the file.
These are basic filters, I am no expert at bpf filters, but you should be
able to get the idea


2.  BPF Filters:
      + Advantages:
        Drops the packet at the BPF interface, which saves on processing.
        Speeds up Snort since it 'never sees' those packets.
      + Disadvantages:
        Poorly constructed filters can 'blind-side' you.
      + Example:
        To ignore all traffic from 192.168.0.1:

            snort <commandline options> not host 192.168.0.1

        To ignore all ICMP ECHO-REQUESTS (pings) and ICMP-ECHO REPLY's

(ping reply) from host <foo>:

 snort <options> ``not ( (icmp[0] = 8 or icmp[0] = 0) and host <foo> )''

That'll ignore everything from that IP.  If you want to pass just on
that rule, I'd create a pass rule for that specific IP address and then
make sure that you start snort with the '-o' switch to process pass
rules first (before alert rules).  Like this:

alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST";
sameip;reference:cve,CVE-1999-0016;reference:url,www.cert.org/advisories
/CA-1997-28.html;classtype:bad-unknown; sid:527; rev:4;)

pass ip 192.168.10.37 any -> any any (msg:"BAD-TRAFFIC same SCR/DST";
sameip;reference:cve,CVE-1999-0016;reference:url,www.cert.org/advisories
/CA-1997-28.html;classtype:bad-unknown; sid:527; rev:4;)

Then start snort with the -o so that it'll pass on the 192.168.10.37 ->
192.168.10.37 traffic before alerting on other traffic.




Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856

-----Original Message-----
From: Juan M. Rivera [mailto:jrivera () aupr edu]
Sent: Thursday, October 09, 2003 7:20 AM
To: Snort Users List
Subject: [Snort-users] Rule to exclude a specific IP in Snort


I'm trying to modify the following Snort Rule:

Alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST"; sameip;
reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:4;)

I'm getting an alert on just one ip address and I know what
the problem is.
So I'm trying to modify this rule so that it takes into
account any internal
ip address except 192.168.10.37.

Hoe do I modify the rule?


Juan M. Rivera Rivera
IT Director
American University of P.R.




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- EXTERNAL_NET definition in Snort Jukka Juslin (Oct 09)
  - Re: EXTERNAL_NET definition in Snort Erek Adams (Oct 09)
- Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
  - RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
    - Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
  - RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 14)
- <Possible follow-ups>
- RE: Rule to exclude a specific IP in Snort Hutchinson, Andrew (Oct 09)
  - RE: Rule to exclude a specific IP in Snort Jason (Oct 09)
- RE: Rule to exclude a specific IP in Snort Grime, Richard S (Oct 09)
- FW: Rule to exclude a specific IP in Snort grant (Oct 16)
  - Re: FW: Rule to exclude a specific IP in Snort Erek Adams (Oct 16)
- Re: Rule to exclude a specific IP in Snort Nordwall, Douglas J (Oct 20)