Snort mailing list archives
Re: Event Suppression between specific Source and Destination
From: Jeremy Hoel <jthoel () gmail com>
Date: Sat, 15 Dec 2012 12:17:13 -0700
That's a good idea too. I hadn't thought of using bpf for that reason. Plus less rules.. nice. On Dec 15, 2012 10:10 AM, "Tony Robinson" <deusexmachina667 () gmail com> wrote:
If you're good with BPF syntax, snort accepts BPF filters, if you have enough key things to flag on, you can the BPF to make snort to ignore traffic meeting the characteristics causing your alert to trigger between these two hosts. It's not a pretty alternative, but its an alternative nonetheless. On Fri, Dec 14, 2012 at 10:06 PM, Jeremy Hoel <jthoel () gmail com> wrote:You could also suppress an alert between two hosts by creating a pass rule. Also, most rules (that I can think of based on our alerts) are unidirectional. So if I know some severs always get rap traffic I suppress those alerts with the src or dst depending on the rule. On Dec 14, 2012 7:41 PM, "waldo kitty" <wkitty42 () windstream net> wrote:On 12/14/2012 10:44, Guido Hungerbuehler wrote:I only agree on parts. Because if you would like to create a pass rule for one specific rule and the two affected hosts, this would mean thatIbasically have to copy the rule that triggers the event and replace 'alert' with 'pass' and adjust the source and destination. But if the signature gets a new revision, the pass-rule does not get updated. And I would have to check for changes in the rules manually.welcome to IDS Management 101 ;) but seriously, i see what you are saying but there is no other method available at this time for the way you choose to operate :? ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- when does reality end? when does fantasy begin?
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Event Suppression between specific Source and Destination Guido Hungerbuehler (Dec 14)
- Re: Event Suppression between specific Source and Destination Joel Esler (Dec 14)
- Re: Event Suppression between specific Source and Destination Guido Hungerbuehler (Dec 14)
- Re: Event Suppression between specific Source and Destination Joel Esler (Dec 14)
- Re: Event Suppression between specific Source and Destination Guido Hungerbuehler (Dec 14)
- Re: Event Suppression between specific Source and Destination Joel Esler (Dec 14)
- Re: Event Suppression between specific Source and Destination Guido Hungerbuehler (Dec 14)
- Re: Event Suppression between specific Source and Destination waldo kitty (Dec 14)
- Re: Event Suppression between specific Source and Destination Jeremy Hoel (Dec 14)
- Re: Event Suppression between specific Source and Destination Tony Robinson (Dec 15)
- Re: Event Suppression between specific Source and Destination Jeremy Hoel (Dec 15)
- Re: Event Suppression between specific Source and Destination Guido Hungerbuehler (Dec 14)
- Re: Event Suppression between specific Source and Destination Joel Esler (Dec 14)