[Snort-users] Host negation in rules.

Martin Roesch roesch at ...421...
Fri Jan 26 11:07:13 EST 2001


"Scott A. McIntyre" wrote:
> 
> Also sprach Max Vision (vision at ...4...):
> 
> > On Fri, 26 Jan 2001, Scott A. McIntyre wrote:
> > > I'm having a devil of a time getting this to work:
> > > alert tcp $EXTERNAL_NET any -> [!194.109.6.66/32,$HOME_NET] 53
> > > (msg:"IDS212 - MISC - DNS Zone Transfer"; content: "|FC|"; flags: AP;
> > > offset: 13;)
> > >
> >
> > The traditional way of handling exclusions is to use pass rules.
> > Something like the following would ignore dns traffic to that host:
> >
> > pass tcp $EXTERNAL_NET any -> 194.109.6.66/32 53
> >
> > Remeber to add the -o option to snort if you do this.
> >
> 
> Yes, and in this case I may end up doing that.  The down side is that it
> will then pass all traffic, tcp in nature, to that host/port, regardless
> of the rest of the rule that existed for the alert condition.
> 
> In other words, what, instead of DNS, I wanted to have two CGI based
> rules, to the same port, but different content (as is often the case).
> 
> Omitting a specific node as a destination would be best on a per-host
> basis -- I want to ignore "webshop cgi" alerts on hostA, but not hostB.
> It's the extra conditionals within the rule that give some of the
> flexibility I'd lose by using a blanket "pass".

You can specify all the standard rule options in pass rules, just like
in alert and log rules.  It should be a fairly simple matter to specify
a list of IPs that you don't want to pick up webshop alerts from in a
var and set a pass rule that watches for that IP/content pair:

var WEBSHOP_IGNORE 10.1.1.3/32

pass tcp any any -> $WEBSHOP_IGNORE 80 (flags: A+; content:
"webshop.cgi";)

That ought to work.

    -Marty

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list