[Snort-users] Suppress Web Browser traffic

Phil Wood cpw at ...440...
Sun Mar 4 11:34:13 EST 2001


Hmm,

Well, did you check the other port on those packets that ended up in your
log?  Reason, the rules match both coming and going.

Also, did you start snort over with the -o option?

On Sun, Mar 04, 2001 at 08:04:09AM -0600, Nalneesh Gaur wrote:
> Phil,
> 
> Thanks for your response, but take a look at the rules I belv that there are
> no rules to log web browser traffic.
> 
> N
> ----- Original Message -----
> From: "Phil Wood" <cpw at ...440...>
> To: "Nalneesh Gaur" <nalneesh at ...131...>
> Sent: Saturday, March 03, 2001 9:43 PM
> Subject: Re: [Snort-users] Suppress Web Browser traffic
> 
> 
> > On Sat, Mar 03, 2001 at 09:11:14PM -0600, Nalneesh Gaur wrote:
> >
> > Check out the '-o' command line switch which changes the order of rule
> > processing.
> >
> > Lots of your questions can be answered from www.snort.org under the
> > documentation FAQ.
> >
> > > Finally after several hours, I have to send this to the list.  I wish to
> ignore web browsing requests.  Please take a look at the rules below.  I
> keep seeing the logs (yes I have HUPPED snort).  I will admit I am not a
> good rules writer.
> > >
> > > N
> > >
> > > ---------------------------
> > >
> > > var EXTERNAL
> [192.168.13.248/32,192.168.13.249/32,208.192.168.250/32,192.168.13.251/32]
> > > var IDSHOST 192.168.13.251/32
> > > var PORTS    3
> > > var SECONDS  5
> > >
> > > ##### Output
> > > output alert_fast: /var/log/snort.alert
> > >
> > > ##### Preprocessors
> > > preprocessor http_decode: 80 443 8080
> > > preprocessor minfrag: 128
> > > preprocessor portscan: $INTERNAL $PORTS $SECONDS /var/log/snort/portscan
> > > preprocessor portscan-ignorehosts: $EXTERNAL
> > >
> > > # Logging tcp
> > > log tcp any any <> $EXTERNAL 21 (session: printable;)
> > > log tcp any any <> $EXTERNAL 23 (session: printable;)
> > > log tcp any any <> $EXTERNAL 25 (session: printable;)
> > > log tcp !$EXTERNAL any -> $EXTERNAL 53 (session: printable;)
> > > log tcp any any <> $EXTERNAL 69 (session: printable;)
> > > log tcp any any <> $EXTERNAL 79 (session: printable;)
> > > pass tcp any 80 <> $EXTERNAL any
> > > #log tcp !$EXTERNAL any -> $EXTERNAL 80 (session: printable;)
> > > log tcp any any <> $EXTERNAL 110 (session: printable;)
> > > log tcp any any <> $EXTERNAL 111 (session: printable;)
> > > log tcp any any <> $EXTERNAL 113 (session: printable;)
> > > log tcp any any <> $EXTERNAL 143 (session: printable;)
> > > log tcp any any <> $EXTERNAL 512:515 (session: printable;)
> > > log tcp any any <> $EXTERNAL 600:620 (session: printable;)
> > > log tcp any any <> $EXTERNAL 1111 (session: printable;)
> > > log tcp any any <> $EXTERNAL 6660:6669 (session: printable;)
> > > pass tcp any any <> $IDSHOST 22
> > > log tcp !$EXTERNAL any <> $EXTERNAL !22
> >
> > --
> > Phil Wood, cpw at ...440...
> 
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list