Snort mailing list archives
RE: Rules Question
From: "Jeff Dell" <jdell () activeworx com>
Date: Mon, 28 Feb 2005 15:52:41 -0500
These rules will not stop the preprocessors, what you want to do is add options in the portscan preprocessor to ignore from certain hosts. To remove certain hosts all together without worrying about any of these pass rules, just add a (Berkeley packet filter)bpf to the end of the command to start Snort. Example: Snort -d -A fast -c snort.conf not (src host 192.168.1.5 and dst port 80) Jeff
-----Original Message----- From: Roy Kidder [mailto:rkidder () safelite net] Sent: Monday, February 28, 2005 3:41 PM To: 'Jeff Dell'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Rules Question Even when using the -o flag, I still get alerts on many things. For example, pass udp 192.168.1.33 any -> any 161 still generates alerts for 'SNMP request udp' and neither sfscan nor a rules like: pass ip 192.168.1.5/32 any -> any 80 pass tcp 192.168.1.5/32 any -> any 80 stop the '(portscan) Open Port' alerts for regular web browsing. Anyone have any suggestions?-----Original Message----- From: Jeff Dell [mailto:jdell () activeworx com] Sent: Friday, February 25, 2005 9:04 AM To: 'Roy Kidder'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Rules Question Check your rules order. By default it is alert -> pass -> log -> etc... Try adding the flag -o to your command line options when starting snort. Cheers, Jeff-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Roy Kidder Sent: Friday, February 25, 2005 8:26 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Rules Question I'm trying to write what I expected to be a simple set rules, but it's not working for me. They look like this: pass udp any any <> 10.0.0.10 53 pass udp any any <> 192.168.1.5 53 alert udp any any <> any 53 (msg: "DNS Query";) What I expected was to alert on any DNS queries except those to 10.0.0.10 or to 192.168.1.5. Instead, I'm seeing alerts on everything including those two hosts. Any pointers on what I did wrong? Thanks in advance, Roy Roy Kidder Network Engineer Safelite Glass Corp. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Startreading now.http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules Question Roy Kidder (Feb 25)
- RE: Rules Question Jeff Dell (Feb 25)
- RE: Rules Question Roy Kidder (Feb 28)
- RE: Rules Question Jeff Dell (Feb 28)
- RE: Rules Question Roy Kidder (Feb 28)
- RE: Rules Question Roy Kidder (Feb 28)
- RE: Rules Question Jeff Dell (Feb 25)