[Snort-users] Config stuff [was: Dynamic Addresses]

Joe McAlerney joey at ...47...
Tue Apr 10 14:11:18 EDT 2001


Hi Dave,

Dave Fitches wrote:

> Can someone tell me if this is right??
> 
> I want Snort to ignore portscan alerts from the DNS servers and game servers
> I connect to...

That part looks good to me.  Just make sure preprocessor
portscan-ignorehosts is _after_ the preprocessor portscan line.

> I ALSO want to get snort to ignore any port 53 activity to/from me and my
> DNS servers... can't figure that one out... [Probably me being thick....]

pass tcp $HOME_NET any <> $DNS_SERVERS 53 (msg:"Pass rule for TCP 53
to/from DNS_SERVERS";)
pass udp $HOME_NET any <> $DNS_SERVERS 53 (msg:"Pass rule for UDP 53
to/from DNS_SERVERS";)

Then, make sure you start snort with -o.

> # Define the addresses of DNS servers and other hosts
> # if you want to ignore portscan false alarms from them...
> 
> var DNS_SERVERS [203.164.20.147/32,203.164.20.148/32]
> var GAME_SERVERS [203.164.3.195/32,203.164.3.209/32,203.164.3.207/32]
> 
> # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
> # specific networks or hosts to reduce false alerts. It is typical
> # to see many false alerts from DNS servers so you may want to
> # add your DNS servers here. You can all multiple hosts/networks
> # in a whitespace-delimited list.
> 
> preprocessor portscan-ignorehosts: $DNS_SERVERS $GAME_SERVERS

Happy Snorting,

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+




More information about the Snort-users mailing list