[Snort-users] Excluding $HOME_NET -> $HOME_NET Alerts

Michael Boman michael.boman at ...4162...
Sun May 19 20:39:02 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 20 May 2002 10:41, Ed Kasky wrote:
> At 10:20 AM Monday, 5/20/2002, Michael Boman wrote -=>
>
> >On Monday 20 May 2002 10:00, Ed Kasky wrote:
> > > Is there a way to disable certain alerts from any home_net host to
> > > another home_net host?  I back up my web server over the wire to a tape
> > > machine and get flooded with "Shellcode X86 Noop" alerts whenever I run
> > > it.  I also get a lot of "WEB-MISC long basic authorization string"
> > > alerts using acid to view alerts in a mysql database.
> > >
> > > I was under the impression that "alert ip $EXTERNAL_NET any ->
> > > $HOME_NET" took care of this.
> > >
> > >  From my snort.conf:
> > > var HOME_NET 10.0.0.0/24
> >
> >And I bet you have:
> >
> >var EXTERNAL_NET any
>
> Good guess...
>
> >that matches any address, including those in HOME_NET. why not set
> >EXTERNAL_NET to !$HOME_NET (everything BUT HOME_NET). This would how ever
> >limit the ability to catch insiders....
>
> I see what you mean if I change it in snort.conf.
>
> Will this work in an individual rule:
> "alert ip $EXTERNAL_NET !$HOME_NET -> $HOME_NET"
>
> Or can I even make it more specific to exclude the one ip address that is
> causing the specific alert when backing up?
> "alert ip $EXTERNAL_NET !10.0.0.3 -> $HOME_NET"

You could create a 'pass' rule.

var HOME_NET [10.1.1.0/24,10.1.2.0/24]
var EXTERNAL_NET !$HOME_NET
var IGNORE_THIS_BOX [10.2.1.92]

pass ip $IGNORE_THIS_BOX any -> $HOME_NET any (msg:"I am ignoring you";)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"(External) Incomming 
traffic";)

and start snort with '-o'. Be carefull thought, too many pass rules and 
performance is dropping dramaticly.

Best regards
 Michael Boman

- -- 
Michael Boman
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
http://www.securecirt.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE86G8yds5fQJiraJwRArC4AJ0dPJn/h1CrptLhxrX4ejZtjH7BQACgxbjK
CV2vIHnwTkIFhK5LYpXZlgo=
=r/Zk
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list