[Snort-users] Excluding $HOME_NET -> $HOME_NET Alerts
michael.boman at ...4162...
Sun May 19 20:39:02 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Monday 20 May 2002 10:41, Ed Kasky wrote:
> At 10:20 AM Monday, 5/20/2002, Michael Boman wrote -=>
> >On Monday 20 May 2002 10:00, Ed Kasky wrote:
> > > Is there a way to disable certain alerts from any home_net host to
> > > another home_net host? I back up my web server over the wire to a tape
> > > machine and get flooded with "Shellcode X86 Noop" alerts whenever I run
> > > it. I also get a lot of "WEB-MISC long basic authorization string"
> > > alerts using acid to view alerts in a mysql database.
> > >
> > > I was under the impression that "alert ip $EXTERNAL_NET any ->
> > > $HOME_NET" took care of this.
> > >
> > > From my snort.conf:
> > > var HOME_NET 10.0.0.0/24
> >And I bet you have:
> >var EXTERNAL_NET any
> Good guess...
> >that matches any address, including those in HOME_NET. why not set
> >EXTERNAL_NET to !$HOME_NET (everything BUT HOME_NET). This would how ever
> >limit the ability to catch insiders....
> I see what you mean if I change it in snort.conf.
> Will this work in an individual rule:
> "alert ip $EXTERNAL_NET !$HOME_NET -> $HOME_NET"
> Or can I even make it more specific to exclude the one ip address that is
> causing the specific alert when backing up?
> "alert ip $EXTERNAL_NET !10.0.0.3 -> $HOME_NET"
You could create a 'pass' rule.
var HOME_NET [10.1.1.0/24,10.1.2.0/24]
var EXTERNAL_NET !$HOME_NET
var IGNORE_THIS_BOX [10.2.1.92]
pass ip $IGNORE_THIS_BOX any -> $HOME_NET any (msg:"I am ignoring you";)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"(External) Incomming
and start snort with '-o'. Be carefull thought, too many pass rules and
performance is dropping dramaticly.
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-users