[Snort-users] Rule Creation Question !.
Wayne T Work
securitygauntlet at ...3130...
Thu Oct 3 15:00:06 EDT 2002
Place an IP address in the variables in the snort.conf file which tells
Snort which servers you are using such as DNS_SERVER and SMTP. Uncomment
this line --- preprocessor portscan-ignorehosts: $DNS_SERVERS (and add
$SMTP). This is one way to ignore some of the traffic which is naturally
created by these services.
IMHO I would not ignore ALL the traffic from these servers as they can be
If you just have a absolute need to ignore them, yes you can write a PASS
rule and use something like ---- pass tcp $SMTP 53 -> $EXTERNAL_NET any
you should place this in local rules and enable it in snort.conf.
This should ignore and port 53 SMTP traffic outbound for any external
address and port. Be careful though, as I said, if your server get
compromised you can have lots of trouble not seeing the traffic. SMTP relay
comes to mind right away.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Moreno Poli
Sent: Tuesday, October 01, 2002 10:13 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Rule Creation Question !.
if i have a server with pop3 and smtp services is possible create a rule
that log all incoming traffic except traffic for this 2 ports, i know that
create a rule that log all traffic except 1 port , but if the port are two
or tree is possible ?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4520 bytes
Desc: not available
More information about the Snort-users