[Snort-users] Quick Rule's Question...

Mark Taber mark at ...5117...
Wed Mar 6 10:44:09 EST 2002


Hi guys, and gals...

I am having an issue with a web-misc 403 forbidden alert.  The alert is
being triggered on a sensor that is hitting a trusted website.  I
haven't been able to figure out why the machine that the sensor is on is
trying to hit the website, so I thought that I might be able to write a
rule to pass that particular IP.  I have never written a rule before and
am not sure that I have written this one right, so I though I would send
it out to be critiqued.  Thanks for the help.....

(Rule that is in the web-misc file)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-MISC 403
Forbidden";flags: A+; content:"HTTP/1.1 403"; depth:12;
classtype:attempted-recon; sid:1201; rev:2;)

(Rule that I am creating)
pass tcp $HTTP_SERVERS 80 -> x.x.x.x (IP Of Server on my network)
(msg:"WEB-MISC 403 Forbidden";flags: A+; content:"HTTP/1.1 403";
depth:12; classtype:attempted-recon; sid:1201; rev:2;)

I believe I would need to run snort with the -o switch configured, is
that correct?

Thanks again for the help,

Mark




More information about the Snort-users mailing list