Re: what is the command line to use ignore.rules - pass ip

["Al Lewis (allewi)" <allewi () cisco com>]

Can you run snort with "-Acmg  -H -U -k none" and see if you get any alerts with this address?

I have a rule with " alert tcp $HOME_NET any -> any any (sid:1000001; msg:"TEST")" using your ' ipvar HOME_NET 
[192.168.1.66/24]'

I don't get any alerts with 0.0.0.0 in them. I do get a TON of these (see below I clipped a bunch off) which suggests 
the output logging is summarizing.

Please send us your conf file.


[root@onetwo snort-2.9.8.0-build_229]# ./bin/snort -c etc/ZERO.conf -r etc/ZERO.pcap -Acmg -H -U -k none -q | grep -i 
TEST
01/22-16:38:11.806576  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:11.896482  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:11.896600  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.184956  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.218249  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.226693  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.245704  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80
01/22-16:38:12.246559  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80
01/22-16:38:12.267310  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36528 -> 194.9.94.80:80
01/22-16:38:12.345081  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.354908  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.360292  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.382499  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.384308  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80
01/22-16:38:12.384343  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80
01/22-16:38:12.384409  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80
01/22-16:38:12.384512  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80
01/22-16:38:12.385764  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36528 -> 194.9.94.80:80
01/22-16:38:12.437377  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.438300  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.500275  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80
01/22-16:38:12.501804  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80
01/22-16:38:12.501969  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.508686  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80
01/22-16:38:12.526571  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80
01/22-16:38:12.537222  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36528 -> 194.9.94.80:80
01/22-16:38:12.548196  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80
01/22-16:38:12.691885  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.700358  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.716337  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.719270  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.721788  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.724314  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.727436  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi () cisco com 


-----Original Message-----
From: Al Lewis (allewi) 
Sent: Friday, January 22, 2016 12:11 PM
To: hernani coelho; snort-users () lists sourceforge net
Subject: Re: [Snort-users] what is the command line to use ignore.rules - pass ip

There is no traffic in the pcap with a 0.0.0.0 address which suggests you have something incorrectly set in your conf 
file 

Or

You are viewing the alerts from another tool that is summarizing addresses.


I used the home_net variable you provided and I don't get any alerts on the commandline with an address of '0.0.0.0'

Please send me your conf file.




Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi () cisco com 


-----Original Message-----
From: hernani coelho [mailto:hernani_coelho () msn com] 
Sent: Friday, January 22, 2016 11:52 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] what is the command line to use ignore.rules - pass ip

i send pcap file of traffic to your private email

if you cannot open that file tell me.

On 22-01-2016 15:06, Al Lewis (allewi) wrote:
> Please provide a pcap of the traffic.
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi () cisco com
>
>
> -----Original Message-----
> From: hernani coelho [mailto:hernani_coelho () msn com]
> Sent: Friday, January 22, 2016 9:23 AM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] what is the command line to use 
> ignore.rules - pass ip
>
> alerts are in dst ip 0.0.0.0
> or source src 64.4.8.0
> or src 64.4.8.1
>
> On 22-01-2016 13:54, Al Lewis (allewi) wrote:
> > Can you provide a pcap of the traffic you are having problems with?
> in snort,  download in pcap format, shows nothing
>
> > Have you tried suppressing the IP's you don't want?
> i have tried this --->
> suppress gen_id 1, sig_id 1852, track by_src, ip 0.0.0.0 suppress 
> gen_id 1, sig_id 1852, track by_src, ip 64.4.8.0 suppress gen_id 1, 
> sig_id 1852, track by_src, ip 64.4.8.1 suppress gen_id 1, sig_id 1852, 
> track by_dst, ip 0.0.0.0
>
> > Do you have your home_net setup correctly?
> ipvar HOME_NET [192.168.1.66/24]
>
> > Albert Lewis
> > QA Software Engineer
> > SOURCEfire, Inc. now part of Cisco
> > 9780 Patuxent Woods Drive
> > Columbia, MD 21046
> > Phone: (office) 443.430.7112
> > Email: allewi () cisco com
> >
> > -----Original Message-----
> > From: hernani coelho [mailto:hernani_coelho () msn com]
> > Sent: Friday, January 22, 2016 8:45 AM
> > To: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] what is the command line to use 
> > ignore.rules - pass ip
> >
> > if i put in command line this --->
> > /usr/local/bin/snort -q -u snort -g snort -O 
> > /etc/snort/rules/ignore.rules -c /etc/snort/snort.conf -i wlan0
> >
> > snort no works
> >
> > On 22-01-2016 13:30, hernani coelho wrote:
> > > hello,
> > >
> > > i have this command line --->/usr/local/bin/snort -q -u snort -g 
> > > snort -O -c /etc/snort/snort.conf -i wlan0
> > >
> > > to work with rule pass ip on file /etc/snort/rules/ignore.rules i 
> > > have put in file this --> pass ip 64.4.8.0 any -> any any 
> > > (msg:"Ignore this
> > > host";sid:1000001;rev:1;) pass ip 64.4.8.1 any -> any any 
> > > (msg:"Ignore this host";sid:1000001;rev:1;) pass ip 0.0.0.0 any -> 
> > > any any (msg:"Ignore this host";sid:1000001;rev:1;)
> > >
> > > is this correct??
> > > snort show ip's in same way.
> > >
> > > can someone help me??
> > > i tried BPF file but no work, the ip 0.0.0.0 is show anyway
> > >
> > > --------------------------------------------------------------------
> > > -
> > > -
> > > --------
> > > Site24x7 APM Insight: Get Deep Visibility into Application 
> > > Performance APM + Mobile APM + RUM: Monitor 3 App instances at just 
> > > $35/Month Monitor end-to-end web transactions and take corrective 
> > > actions now Troubleshoot faster and improve end-user experience. Signup Now!
> > > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> > ---------------------------------------------------------------------
> > -
> > --------
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App 
> > instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster 
> > and improve end-user experience. Signup Now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ----------------------------------------------------------------------
> --------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App 
> instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster 
> and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances 
at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve 
end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!