[Snort-users] http_decode alerts bypassing "pass" rules

Martin Roesch roesch at ...1935...
Wed May 23 01:25:00 EDT 2001


Use the BPF filtering frontend.  This is covered briefly in the USAGE
file and in greater detail in the man page.  Basically, the preprocessor
stage fires before the rules-based engine where pass rules are
considered.  BPF acts as a pre-filter for packets before they get into
Snort at all so you can drop packets before they can get to the
preprocessor stage by that route.  For example, if you wanted to ignore
a specific host like 10.1.1.1:

snort -c snort.conf not host 10.1.1.1

It's pretty simple, check the docs.

     -Marty

Pete Philips wrote:
> 
> I have several "pass" rules in my snort.conf (before the
> http_decode preprocessor) which ignore all traffic to and
> form certain machines which are regularly used to test
> exploits etc.
> 
> This works fine and no alerts are generated by these hosts
> except when it is generated by http_decode such as:
> 
> May  9 15:59:44 spock snort: spp_http_decode: IIS Unicode attack detected:
> 10.1.1.31:1312 -> 192.168.1.1:80
> 
> Is there a way to also silence these alerts for particular hosts?
> 
> Thanks!
> 
> Pete.
> 
> PS. I am running Snort 1.7 on OpenBSD.
> 
>   ---------------------------------------------------------------
> |   Pete Philips                                           \|/  |
> |   Integralis S3 Team                                      O   |
> |   E-mail:  pete at ...639...                           |
> |   Phone:   +44 118 930 6060                                   |
> |   PGP Key: http://www.s3.integralis.co.uk/pgp/pete.gpg        |
>   ---------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-users mailing list