Snort mailing list archives
RE: ignore a single host
From: "Shnitko, Maxim {PBG}" <Maxim.Shnitko () intl pepsi com>
Date: Tue, 23 Nov 2004 11:11:48 +0300
Yes you are right, but better way is to create the the new variable with name for example "SNMP_CONSOLES" for the feauture use. And in case if you change the ip address or add an additional PC with the same functions you will just add the new ip address into variable field. At the present time I'm using the 65 manually created rules to filter the false alerts, for example SNMP requests from CIM. Maxim -----Original Message----- From: isp [mailto:isp () bnjcomp com] Sent: Tuesday, November 23, 2004 10:35 AM To: Shnitko, Maxim {PBG}; snort-users () lists sourceforge net Subject: Re: [Snort-users] ignore a single host sorry about next question but new to this. You mean go to snmp.rules. copy the snmp " requestion udp" (alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:9;) then put that in local.rules (which is empty but loading in my snort.conf). then change it to say: pass udp 12.170.222.13 any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:9;) then save it and reload snort? am I reading this right? thanks terry ----- Original Message ----- From: "Shnitko, Maxim {PBG}" <Maxim.Shnitko () intl pepsi com> To: "'isp'" <isp () bnjcomp com>; <snort-users () lists sourceforge net> Sent: Tuesday, November 23, 2004 12:43 AM Subject: RE: [Snort-users] ignore a single host
Open the signature "SNMP request udp" save it as a new (local.rules) add the new variable name with that host address, add this new variable as a source address into the created signature and replace the "alert" with "pass"... That is all. Regards, Maxim -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of isp Sent: Sunday, November 21, 2004 12:44 PM To: snort-users () lists sourceforge net Subject: [Snort-users] ignore a single host Can't quit figure out how to ignore a single computer. I have a computer which continuously gets following alert. It is because
it
is making lots of SNMP requests which is what it is suppose to do. How do
I
get snort to ignore a single host like this or just ignore this particular alert? thanks terry [**] [1:1417:9] SNMP request udp [**] [Classification: Attempted Information Leak] [Priority: 2] 11/21-03:37:59.626234 12.170.222.13:53965 -> 12.170.222.148:161 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:118 DF Len: 90 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012 http://www.securityfocus.com/bid/4132] http://www.securityfocus.com/bid/4089] http://www.securityfocus.com/bid/4088] ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ignore a single host isp (Nov 22)
- Re: ignore a single host Matt Kettler (Nov 22)
- Re: ignore a single host Alex Butcher, ISC/ISYS (Nov 23)
- <Possible follow-ups>
- RE: ignore a single host Keith Pachulski (Nov 22)
- RE: ignore a single host Shnitko, Maxim {PBG} (Nov 22)
- RE: ignore a single host Shnitko, Maxim {PBG} (Nov 23)
- Re: ignore a single host Matt Kettler (Nov 22)