[Snort-users] Rule Creation Question !.

Wayne T Work securitygauntlet at ...3130...
Thu Oct 3 15:00:06 EDT 2002


Place an IP address in the variables in the snort.conf file which tells
Snort which servers you are using such as DNS_SERVER and SMTP. Uncomment
this line --- preprocessor portscan-ignorehosts: $DNS_SERVERS (and add
$SMTP). This is one way to ignore some of the traffic which is naturally
created by these services. 
 
IMHO I would not ignore ALL the traffic from these servers as they can be
readily exploited.  
 
If you just have a absolute need to ignore them, yes you can write a PASS
rule and use something like ----     pass tcp $SMTP 53 -> $EXTERNAL_NET any
you should place this in  local rules and enable it in snort.conf.
 
This should ignore and port 53 SMTP traffic outbound for any external
address and port. Be careful though, as I said, if your server get
compromised you can have lots of trouble not seeing the traffic. SMTP relay
comes to mind right away.
 
Good luck

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Moreno Poli
Sent: Tuesday, October 01, 2002 10:13 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Rule Creation Question !.


if i have a server with pop3 and smtp services is possible create a rule
that log all incoming traffic except  traffic for this 2 ports, i know that
is possible
create a rule that log all traffic except 1 port , but if the port are two
or tree is possible ?
 
 
Moreno Poli

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 4520 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021003/e547fb80/attachment.bin>


More information about the Snort-users mailing list