[Snort-users] Tweaking false positive alert

Dave Ryan dave at ...1192...
Mon Mar 12 05:54:53 EST 2001


if you are not using the full class c it might suffice to simply define another VAR and leave out your dns server - i know retarded and the fugly factor increases exponentially, but hey it will work  ;)

VAR NOT_MY_DNS 192.168.0.1, etc etc 

i dont know if snort will allow negation of an ip from a particular address block? VAR VOT_MY_DNS $MY_NET, !192.168.0.10

Alternatively, you could subnet your 192.168 net with a /30 for the dns server, that would save you from typing ip addresses ;)

Pointless suggestions that might help you out in the short term.

Quoting Max Vision (vision at ...4...):
> As a last resort you could always whip up a pcap expression to exclude the
> host, just append to the snort command line. Maybe something like:
> 
>  snort <blah options go here> '!(host ns.example.com && src port 53)'
> 
> There might be something more elegant to be done within Snort but I can't
> think of it right now if there is :)
> 
> Max
> 
> On Sat, 10 Mar 2001, Lance Spitzner wrote:
> > Okay folks, how do I log this without alerting this
> > behavior?  My internal DNS server is generating ALOT
> > of false alerts because it talks to and from port 53.
> > So I get alot of these errors.
> >
> > [**] MISC source port 53 to <1023 [**]
> >
> > I want to do something like this, but it does not work.
> >
> > alert udp $EXTERNAL_NET 53 -> $HOME_NET,!192.168.1.10 :1023 (msg:"MISC source port 53 to <1023";)
> >
> > I want to say, apply this alert to everything in my internal
> > network BUT my DNS server.  How do I do this functionality,
> > while keeping the alert-pass-log order?
> >
> > Words of wisdom?
> >
> > --
> > Lance Spitzner
> > http://project.honeynet.org
> >
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

-- 
Dave Ryan 				Default Security
http://www.default.org.uk/~dave		dave at ...1192...

GnuPG Key:      http://www.default.org.uk/~dave/gpgkey.asc
Fingerprint:    F418 C882 FF03 82A0 A99A  2720 669C E8C3 44B8 2A0F





More information about the Snort-users mailing list