Snort mailing list archives
Re: Fwd: Delivery Status Notification (Failure)
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Thu, 22 Sep 2011 16:21:19 -0400
If you never want any alert to be generated between two clients on specific ports I would use a BPF filter to exclude that communication from inspection. On Thu, Sep 22, 2011 at 3:39 PM, Nabyl Benmlih <nabylb () stptech com> wrote:
hi I have 2 hosts that are set to communicate on specific port, I'd like to exclude that couple ip/port from the alerts while any other ip do create an alert. for instance server is on 192.168.0.1 client is on 192.168.5.1 communication is 192.168.0.1 <--192.168.5.1:4444 snort detects and create alerts because the 192.168.5.1:4444 is open. I'd like for the specific case of 192.168.0.1 <--192.168.5.1:4444 not to have any alerts yet if any other host/client goes to 192.168.5.1:4444 to generate alerts how would i do that ? I have around 15 couples those ip/port to exempt from generating alerts Otherwise running : Snort Version 2.8.5.3 (Build 124) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 6.6 06-Feb-2006 on centos: Linux Holopinos 2.6.18-238.19.1.el5 #1 SMP Fri Jul 15 07:32:29 EDT 2011 i686 i686 i386 GNU/Linux (i'll upgrade snort after I fix this issue) Thanks in advance ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Delivery Status Notification (Failure) Nabyl Benmlih (Sep 22)
- Re: Fwd: Delivery Status Notification (Failure) Jason Wallace (Sep 22)