Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule to exclude a specific IP in Snort

From: "Nordwall, Douglas J" <doug () pnl gov>
Date: Mon, 20 Oct 2003 08:33:02 -0700

This should work, assuming that the sig you are looking at comes from gen_id
2. I'm not a snort expert by any means, but as I understand it, gen_is
refers to where the alert is coming from, not so much a sequence number.

Try changing the second to gen_id 1 and see if it works.

On 10/16/03 4:34 AM, "grant" <grant () macaulayconsultants co uk> wrote:


I am trying to create an exclusion list for multiply machines and rules. I
have created a file called whiteSRC.txt and included this in my snort.conf, I
can get it to work with one machine. I am having difficulty with multiply
entries. Is there any information or documentation I can get anywhere?

suppress gen_id 1, sig_id 409, track by_src, ip 172.30.234.56    This line
works fine!
suppress gen_id 2, sig_id 1419, track by_dst, ip 172.28.71.60    Is this
right? I made this up!!

Thanks

Grant Macaulay

Hey Chris,

What does the different part of that instruction mean?:

suppress
gen_id 1,         <-- what does this mean?
sig_id 527,
track by_src,    <-- And this?
ip 192.168.10.37

Thanks

Juan M. Rivera Rivera
IT Director
American University of P.R.

-----Original Message-----
From: Chris Green [mailto:cmg () sourcefire com]
Sent: Thursday, October 09, 2003 9:28 AM
To: Juan M. Rivera
Cc: Snort Users List
Subject: Re: [Snort-users] Rule to exclude a specific IP in Snort

"Juan M. Rivera" <jrivera () aupr edu> writes:


I'm trying to modify the following Snort Rule:

Alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST"; sameip;
reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:4;)

I'm getting an alert on just one ip address and I know what the problem

is.

So I'm trying to modify this rule so that it takes into account any

internal

ip address except 192.168.10.37.


Don't bother with changing the rule anymore for handling that case.

suppress gen_id 1, sig_id 527, track by_src, ip 192.168.10.37

in snort 2.0.2.
--
Chris Green <cmg () sourcefire com>
Warning: time of day goes back, taking countermeasures.



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

N?!@??@zf????h??+y??    ?????r
@??+j`J??q?h????@??-?

/z?;?

4??zp???x?7???I????)??0??!j??B?0H

k???x????'??'$?x!??@??(??~?

?x    ??.??+????iJz+??z?????x?+-Jz+??z?
?+-?(??~??x    ?????DK?r???.?????b?{??.?œ???m???i???+-?(??~??x

??b

????+-?w?????.???Jz+??z??+-??+?m????0?r?????r????b??i?    b?,??????


-- 




-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise
Linux in the Boardroom; in the Front Office; & in the Server Room
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: