Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Rule to exclude a specific IP in Snort

From: "Juan M. Rivera" <jrivera () aupr edu>
Date: Thu, 9 Oct 2003 10:11:40 -0400
Does that line (suppress gen_id 1, sig_id 527, track by_src, ip
192.168.10.37)  go in the .rules file?

Juan M. Rivera Rivera
IT Director
American University of P.R.

-----Original Message-----
From: Chris Green [mailto:cmg () sourcefire com]
Sent: Thursday, October 09, 2003 9:28 AM
To: Juan M. Rivera
Cc: Snort Users List
Subject: Re: [Snort-users] Rule to exclude a specific IP in Snort

"Juan M. Rivera" <jrivera () aupr edu> writes:


I'm trying to modify the following Snort Rule:

Alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST"; sameip;
reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:4;)

I'm getting an alert on just one ip address and I know what the problem

is.

So I'm trying to modify this rule so that it takes into account any

internal

ip address except 192.168.10.37.


Don't bother with changing the rule anymore for handling that case.

suppress gen_id 1, sig_id 527, track by_src, ip 192.168.10.37

in snort 2.0.2.
--
Chris Green <cmg () sourcefire com>
Warning: time of day goes back, taking countermeasures.



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: