RE: ignore a single host

["Shnitko, Maxim {PBG}" <Maxim.Shnitko () intl pepsi com>]

Yes you are right, but better way is to create the the new variable with
name for example "SNMP_CONSOLES" for the feauture use. And in case if you
change the ip address or add an additional PC with the same functions you
will just add the new ip address into variable field. At the present time
I'm using the 65 manually  created rules to filter the false alerts, for
example SNMP requests from CIM.

Maxim


-----Original Message-----
From: isp [mailto:isp () bnjcomp com] 
Sent: Tuesday, November 23, 2004 10:35 AM
To: Shnitko, Maxim {PBG}; snort-users () lists sourceforge net
Subject: Re: [Snort-users] ignore a single host


sorry about next question but new to this.
You mean go to snmp.rules.
copy the snmp " requestion udp"  (alert udp $EXTERNAL_NET any -> $HOME_NET
161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089;
reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013;
classtype:attempted-recon; sid:1417; rev:9;)

then put that in local.rules (which is empty but loading in my snort.conf).
then change it to say:

pass udp 12.170.222.13 any -> $HOME_NET 161 (msg:"SNMP request udp";
reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon;
sid:1417; rev:9;)

then save it and reload snort?
am I reading this right?

thanks terry

----- Original Message ----- 
From: "Shnitko, Maxim {PBG}" <Maxim.Shnitko () intl pepsi com>
To: "'isp'" <isp () bnjcomp com>; <snort-users () lists sourceforge net>
Sent: Tuesday, November 23, 2004 12:43 AM
Subject: RE: [Snort-users] ignore a single host


> Open the signature  "SNMP request udp" save it as a new (local.rules) 
> add the new variable name with that host address, add this new 
> variable as a source address into the created signature and replace 
> the "alert" with "pass"... That is all.
>
> Regards,
> Maxim
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of isp
> Sent: Sunday, November 21, 2004 12:44 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] ignore a single host
>
>
> Can't quit figure out how to ignore a single computer.
>
> I have a computer which continuously gets following alert.  It is 
> because
it
> is making lots of SNMP requests which is what it is suppose to do.  
> How do
I
> get snort to ignore a single host like this or just ignore this 
> particular alert?
>
> thanks terry
>
>
> [**] [1:1417:9] SNMP request udp [**]
> [Classification: Attempted Information Leak] [Priority: 2] 
> 11/21-03:37:59.626234 12.170.222.13:53965 -> 12.170.222.148:161 UDP 
> TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:118 DF
> Len: 90 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013]
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012
> http://www.securityfocus.com/bid/4132]
> http://www.securityfocus.com/bid/4089]
> http://www.securityfocus.com/bid/4088]
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real 
> users. Discover which products truly live up to the hype. Start 
> reading now. http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users