Re: Exclude IP Subnets and a IP address from a Specific rule

[Joel Esler <jesler () sourcefire com>]

On Aug 30, 2013, at 11:33 AM, Matt Brichetto <m_brichetto () cuinterface com> wrote:

> Hello, 
>
> This is a two part question for two different topics that are related to each other. The first part is I am looking 
> to see the best way to exclude a IP address from a specific rule in snort. The second part is how to exclude specific 
> external subnets from being scanned as they flow into the snort box.
>  
> My setup is running on Windows Server 2008 64 bit. I used the WinSnort.com website for their guide how to install and 
> set everything up. I am also using pulled pork to auto update my rules or signatures.  I am new to the Snort setup, 
> so please bear with me as  I may ask silly questions. Now onto the specific scenarios I have.
>
> The first setup I need to do is exclude a internal IP address from this specific rule below because it flows into 
> spam filter of ours we receive a ton of alerts from it that are not needed.  The IP address of the device is 
> 192.168.22.9 for a our local subnet. (Rule is below)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise client IMG SRC buffer overflow"; 
> flow:to_server,established; content:"<IMG"; nocase; content:"SRC"; distance:0; nocase; isdataat:244,relative; 
> pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; metadata:policy security-ips drop, service smtp; reference:bugtraq,26875; 
> reference:cve,2007-6435; classtype:attempted-user; sid:13364; rev:8;) 
>
> Here are the two options after doing some research that I think may work, but I would like to hear back from someone 
> with experience in this. What I don't know is if I edit the winids.rules file for a specific rule, will Pulled Pork 
> just write over it. 
>
> First edit the existing rule in the winids.rules folder with a exclude "!" argument so it may look like this. 
>
> alert tcp ![192.168.41.9/24] $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise client IMG SRC 
> bufferoverflow"; flow:to_server,established; content:"<IMG"; nocase; content:"SRC"; distance:0; nocase; 
> isdataat:244,relative;pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; metadata:policy security-ips drop, service smtp; 
> reference:bugtraq,26875;reference:cve,2007-6435; classtype:attempted-user; sid:13364; rev:8;) 
>
>
> Another thought I had was adding a pass rule above the original rule just with the specific IP address in the 
> winids.rules file. As well as taking out the $External_NET argument because it is just a new rule. 
>
>
> pass tcp [192.168.41.9/24] any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise client IMG SRC buffer 
> overflow";flow:to_server,established; content:"<IMG"; nocase; content:"SRC"; distance:0; nocase; 
> isdataat:244,relative; pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; metadata:policy security-ips drop, service smtp; 
> reference:bugtraq,26875; reference:cve,2007-6435; classtype:attempted-user; sid:13364; rev:8;) 
>
>
>
> The second setup is excluding certain external IP subnets altogether from being scanned. What I want is that all the 
> external IPs that come in still be seen but have Snort ignore certain external subnets that I specify. My thought 
> process is either somehow modify the External_Net field in the Snort.conf file. I also thought is there to create a 
> local file somehow that would just exclude the specific IP address I want snort to ignore.
>  
> Through all of the reading I have done it doesn’t seem to be a defined way to do this, but I cannot be the only who 
> has needed to exclude IP addresses from certain places in Snort.
>
> Thanks in advance for any help,

Check out Suppression:

http://manual.snort.org/node19.html#SECTION00343000000000000000

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!