[Snort-users] Suppress Web Browser traffic

Nalneesh Gaur nalneesh at ...131...
Sat Mar 3 22:11:14 EST 2001


Finally after several hours, I have to send this to the list.  I wish to ignore web browsing requests.  Please take a look at the rules below.  I keep seeing the logs (yes I have HUPPED snort).  I will admit I am not a good rules writer.

N

---------------------------

var EXTERNAL [192.168.13.248/32,192.168.13.249/32,208.192.168.250/32,192.168.13.251/32]
var IDSHOST 192.168.13.251/32
var PORTS    3
var SECONDS  5

##### Output
output alert_fast: /var/log/snort.alert

##### Preprocessors
preprocessor http_decode: 80 443 8080
preprocessor minfrag: 128
preprocessor portscan: $INTERNAL $PORTS $SECONDS /var/log/snort/portscan
preprocessor portscan-ignorehosts: $EXTERNAL

# Logging tcp
log tcp any any <> $EXTERNAL 21 (session: printable;)
log tcp any any <> $EXTERNAL 23 (session: printable;)
log tcp any any <> $EXTERNAL 25 (session: printable;)
log tcp !$EXTERNAL any -> $EXTERNAL 53 (session: printable;)
log tcp any any <> $EXTERNAL 69 (session: printable;)
log tcp any any <> $EXTERNAL 79 (session: printable;)
pass tcp any 80 <> $EXTERNAL any 
#log tcp !$EXTERNAL any -> $EXTERNAL 80 (session: printable;)
log tcp any any <> $EXTERNAL 110 (session: printable;)
log tcp any any <> $EXTERNAL 111 (session: printable;)
log tcp any any <> $EXTERNAL 113 (session: printable;)
log tcp any any <> $EXTERNAL 143 (session: printable;)
log tcp any any <> $EXTERNAL 512:515 (session: printable;)
log tcp any any <> $EXTERNAL 600:620 (session: printable;)
log tcp any any <> $EXTERNAL 1111 (session: printable;)
log tcp any any <> $EXTERNAL 6660:6669 (session: printable;)
pass tcp any any <> $IDSHOST 22
log tcp !$EXTERNAL any <> $EXTERNAL !22 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010303/009ed0cc/attachment.html>


More information about the Snort-users mailing list