[Snort-users] Tweaking false positive alert
dave at ...1192...
Mon Mar 12 05:54:53 EST 2001
if you are not using the full class c it might suffice to simply define another VAR and leave out your dns server - i know retarded and the fugly factor increases exponentially, but hey it will work ;)
VAR NOT_MY_DNS 192.168.0.1, etc etc
i dont know if snort will allow negation of an ip from a particular address block? VAR VOT_MY_DNS $MY_NET, !192.168.0.10
Alternatively, you could subnet your 192.168 net with a /30 for the dns server, that would save you from typing ip addresses ;)
Pointless suggestions that might help you out in the short term.
Quoting Max Vision (vision at ...4...):
> As a last resort you could always whip up a pcap expression to exclude the
> host, just append to the snort command line. Maybe something like:
> snort <blah options go here> '!(host ns.example.com && src port 53)'
> There might be something more elegant to be done within Snort but I can't
> think of it right now if there is :)
> On Sat, 10 Mar 2001, Lance Spitzner wrote:
> > Okay folks, how do I log this without alerting this
> > behavior? My internal DNS server is generating ALOT
> > of false alerts because it talks to and from port 53.
> > So I get alot of these errors.
> > [**] MISC source port 53 to <1023 [**]
> > I want to do something like this, but it does not work.
> > alert udp $EXTERNAL_NET 53 -> $HOME_NET,!192.168.1.10 :1023 (msg:"MISC source port 53 to <1023";)
> > I want to say, apply this alert to everything in my internal
> > network BUT my DNS server. How do I do this functionality,
> > while keeping the alert-pass-log order?
> > Words of wisdom?
> > --
> > Lance Spitzner
> > http://project.honeynet.org
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
Dave Ryan Default Security
http://www.default.org.uk/~dave dave at ...1192...
GnuPG Key: http://www.default.org.uk/~dave/gpgkey.asc
Fingerprint: F418 C882 FF03 82A0 A99A 2720 669C E8C3 44B8 2A0F
More information about the Snort-users