[Snort-users] Rule help

Erek Adams erek at ...950...
Mon Jan 27 09:47:06 EST 2003


On Mon, 27 Jan 2003, Gordon Cunningham wrote:

> I'm not quite sure how to approach writing or modifying rules for this
> scenario.  I have several hosts on my LAN that use SNMP polling for
> monitoring.  If I use the default rulebase for "SNMP request udp", these
> hosts will continually trigger alerts.  However, I'm not sure how to write
> the rule to exclude them but still limit the FROM addresses to my LAN.
>
> In other words, I'd like to get SNMP Request UDP alerts from any hosts on my
> LAN (which is a subset of the entire company network) OTHER than the few
> I've designated.  How do I designate a subnet and exclude a few hosts from
> that subnet?  I tried this - doesn't seem to work with 1.9.0:
>
> alert udp [$HOME_NET,!1.2.4.4,!2.3.4.5,!5.4.3.2] any -> $HOME_NET 161
> (msg:"SNMP request udp"; reference:cve,CAN-2002-0012;
> reference:cve,CAN-2002-0013; sid:1417; rev:2; classtype:attempted-recon;)

Have a look at this:

	http://www.theadamsfamily.net/~erek/snort/ignore.txt

It was sent to the mailing list a while back, and it shows you two ways to
do that.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list