RE: Rules Question

["Jeff Dell" <jdell () activeworx com>]

These rules will not stop the preprocessors, what you want to do is add
options in the portscan preprocessor to ignore from certain hosts. To remove
certain hosts all together without worrying about any of these pass rules,
just add a (Berkeley packet filter)bpf to the end of the command to start
Snort.

Example:
Snort -d -A fast -c snort.conf not (src host 192.168.1.5 and dst port 80)


Jeff

> -----Original Message-----
> From: Roy Kidder [mailto:rkidder () safelite net] 
> Sent: Monday, February 28, 2005 3:41 PM
> To: 'Jeff Dell'; snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Rules Question
>
> Even when using the -o flag, I still get alerts on many 
> things. For example,
>
> pass udp 192.168.1.33 any -> any 161
>
> still generates alerts for 'SNMP request udp'
>
> and neither sfscan nor a rules like:
>
> pass ip  192.168.1.5/32 any -> any 80
> pass tcp 192.168.1.5/32 any -> any 80
>
> stop the '(portscan) Open Port' alerts for regular web browsing.
>
> Anyone have any suggestions?
>
>
> > -----Original Message-----
> > From: Jeff Dell [mailto:jdell () activeworx com] 
> > Sent: Friday, February 25, 2005 9:04 AM
> > To: 'Roy Kidder'; snort-users () lists sourceforge net
> > Subject: RE: [Snort-users] Rules Question
> >
> > Check your rules order. By default it is alert -> pass -> log 
> > -> etc...
> >
> > Try adding the flag -o to your command line options when 
> > starting snort.
> >
> > Cheers,
> > Jeff 
> >
> > > -----Original Message-----
> > > From: snort-users-admin () lists sourceforge net 
> > > [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
> > > Roy Kidder
> > > Sent: Friday, February 25, 2005 8:26 AM
> > > To: snort-users () lists sourceforge net
> > > Subject: [Snort-users] Rules Question
> > >
> > > I'm trying to write what I expected to be a simple set rules, 
> > > but it's not
> > > working for me. They look like this:
> > >
> > > pass udp any any <> 10.0.0.10 53
> > > pass udp any any <> 192.168.1.5 53
> > > alert udp any any <> any 53 (msg: "DNS Query";)
> > >
> > > What I expected was to alert on any DNS queries except those 
> > > to 10.0.0.10 or
> > > to 192.168.1.5. Instead, I'm seeing alerts on everything 
> > > including those two
> > > hosts. 
> > >
> > > Any pointers on what I did wrong?
> > >
> > > Thanks in advance,
> > > Roy
> > >
> > >  
> > > Roy Kidder
> > > Network Engineer
> > > Safelite Glass Corp.
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT Products from 
> > > real users.
> > > Discover which products truly live up to the hype. Start 
> > reading now.
> > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users