Snort mailing list archives
Re: Thresholding by source AND destination
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 5 Aug 2013 14:54:48 -0400
Try writing a pass rule for the two hosts. On Mon, Aug 5, 2013 at 2:38 PM, Turnbough, Bradley E. <bturnbough () belcan com
wrote:
Hello, A kind person sent me information last week regarding a solution to allow me to disregard events when from a certain source to a certain destination. Can someone please give me a better idea how to do this? For example: I have a source DNS server IP address of 1.2.3.4 and a destintation DNS server of 5.6.7.8 This alert is being generated: INDICATOR-COMPROMISE Suspicious .cn dns query BUT.... This is for a domain that I know is a legit domain. dns.abc.cn So, I want to exclude (threshold / not alert) suspicious CN domain resolution requests when coming from 1.2.3.4 and going to 5.6.7.8 for a DNS request of dns.abc.cn Hopefully I explained myself well enough. Thanks, Brad _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Thresholding by source AND destination Turnbough, Bradley E. (Aug 05)