[Snort-users] single ip address

Erickson Brent W KPWA erickson at ...160...
Thu Feb 21 19:27:04 EST 2002


Hi Scott,

If you would like to ignore an address that is setting off a particular
alert rule (not port scan pre-processor or stealth scan) and say for example
that the destination port for the rule was 98 (Linux Config) and the host
was on your $HOME_NET,

you could do:

pass tcp 192.168.12.4/32 any -> any 98

And from the snort command line invoke the o option to call the pass rules.

Example:

snort -d -o -A fast -c snort.conf

or:

pass tcp 192.168.12.4/32 any -> $EXTERNAL_NET 98

or if udp:

pass udp 192.168.12.4/32 any -> any 98

If the offending node is setting off the port scan pre-processor
(non-stealth)

you could do:

define the variable in snort.conf

var DNS2 192.168.12.4

and then in pre-processor portscan ignore: $DNS2

If the offending node is triggering the stealth code for the port scan
pre-processor or stream 4, you need a Berkeley Packet filter:

for example at the command line:

snort -d -A fast -c snort.conf not (src host 192.168.12.4 and dst port 98)

src is source, dst is destination.

Hope this will help, and if I have made any glaring errors I trust that my
snort friends will take two drinks and correct me.

Brent Erickson


-----Original Message-----
From: Scott Taylor [mailto:scottt at ...4859...]
Sent: Thursday, February 21, 2002 5:33 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] single ip address


Hello all,
  I'm having a hard time finding info on 
applying rules to a single IP addy. For instance 
if I want to ignore a single IP address what 
would the pass rule look like?

pass tcp 192.168.12.4 -> any any

or do I need a /24 on the end of the IP?

Would this work in the snort.conf under home_net?

Cheers,
take 1 chug and kiss the person on your right.

Scott

THERE IS ONLY ONE... 
SOCCER.COM, The Center of the Soccer Universe
http://www.soccer.com

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list