Snort mailing list archives
RE: Rule to exclude a specific IP in Snort
From: "Jason" <snort-users () tcpipbitch net>
Date: Thu, 9 Oct 2003 09:34:19 -0400 (EDT)
Using bpf filters like this is not really scalable on any network. Everytime you want to update a bpf filter you would have to rerun the command and add the filter options.... that can get to be a really long command line. The better option would be to use the -F switch on snort, and specify a file that will contain your bpf filters.. example of my bpf.filter file
more /usr/local/etc/bpf.rules
not (host xxx.xxx.79.243 or host xxx.xxx.81.38 or host xxx.xxx.79.246) and not (src host xxx.xxx.101.240 and dst host xxx.xxx.179.58) and not (src host xxx.xxx.25.101 and dst port 21) and not ((src host xxx.xxx.101.233 and src port 1521) and dst host xxx.xxx.179.95) and not (src host xxx.xxx.2.102 and dst port 161) and not ((src host xxx.xxx.179.70) and (dst host xxx.xxx.239.50 and dst port 135)) You can obviously add more advanced options if you wish, however, it will allow you to keep better control of what you are filtering out, and easier to read, add and remove filters. Just HUP snort after editing the file. These are basic filters, I am no expert at bpf filters, but you should be able to get the idea
2. BPF Filters: + Advantages: Drops the packet at the BPF interface, which saves on processing. Speeds up Snort since it 'never sees' those packets. + Disadvantages: Poorly constructed filters can 'blind-side' you. + Example: To ignore all traffic from 192.168.0.1:
snort <commandline options> not host 192.168.0.1
To ignore all ICMP ECHO-REQUESTS (pings) and ICMP-ECHO REPLY's
(ping reply) from host <foo>:
snort <options> ``not ( (icmp[0] = 8 or icmp[0] = 0) and host <foo> )''
That'll ignore everything from that IP. If you want to pass just on that rule, I'd create a pass rule for that specific IP address and then make sure that you start snort with the '-o' switch to process pass rules first (before alert rules). Like this: alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST"; sameip;reference:cve,CVE-1999-0016;reference:url,www.cert.org/advisories /CA-1997-28.html;classtype:bad-unknown; sid:527; rev:4;) pass ip 192.168.10.37 any -> any any (msg:"BAD-TRAFFIC same SCR/DST"; sameip;reference:cve,CVE-1999-0016;reference:url,www.cert.org/advisories /CA-1997-28.html;classtype:bad-unknown; sid:527; rev:4;) Then start snort with the -o so that it'll pass on the 192.168.10.37 -> 192.168.10.37 traffic before alerting on other traffic. Andrew Hutchinson - Network Security Vanderbilt University Medical Center (615) 936-2856-----Original Message----- From: Juan M. Rivera [mailto:jrivera () aupr edu] Sent: Thursday, October 09, 2003 7:20 AM To: Snort Users List Subject: [Snort-users] Rule to exclude a specific IP in Snort I'm trying to modify the following Snort Rule: Alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:4;) I'm getting an alert on just one ip address and I know what the problem is. So I'm trying to modify this rule so that it takes into account any internal ip address except 192.168.10.37. Hoe do I modify the rule? Juan M. Rivera Rivera IT Director American University of P.R. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- EXTERNAL_NET definition in Snort Jukka Juslin (Oct 09)
- Re: EXTERNAL_NET definition in Snort Erek Adams (Oct 09)
- Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
- RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
- RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 14)
- RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- <Possible follow-ups>
- RE: Rule to exclude a specific IP in Snort Hutchinson, Andrew (Oct 09)
- RE: Rule to exclude a specific IP in Snort Jason (Oct 09)
- RE: Rule to exclude a specific IP in Snort Grime, Richard S (Oct 09)
- FW: Rule to exclude a specific IP in Snort grant (Oct 16)
- Re: FW: Rule to exclude a specific IP in Snort Erek Adams (Oct 16)
- Re: Rule to exclude a specific IP in Snort Nordwall, Douglas J (Oct 20)
- EXTERNAL_NET definition in Snort Jukka Juslin (Oct 09)