[Snort-users] How to ingnore a specific host(s) ?

CGhercoias at ...8619... CGhercoias at ...8619...
Fri May 30 10:45:03 EDT 2003


Hello everybody,

I have installed snort on several machines and everything works good. 
But,... I have one of the sensors listening in the _internal_ network , and
is located on the same segment with the _management_ server (ACID, mysql,
php, Snortcenter, etc).
Whenever an alert is triggered , let's say someone have received an spam
email with porn in it, the event gets written in the database.
I use Snort Alert Monitor (SAM) to be notified in real time if something is
happening. 
I like the semaphore and the voice of HAL ;o) , and is pretty cool to be
notified like this, rather that going in ACID every minute or so.

Now, if I browse in ACID to see that event, payload, etc. another alert is
triggered , this time because of me -- the Acid is sending me the page with
the "malicious" content to my browser (because I'm browsing from my
workstation the ACID), the _internal_ agent sees that and another alert gets
written in the database......and so on.

This is the first part of my snort.eth1.conf:

#---------------------------------------------------------------------------
----
# Snort Configuration file for < internal >
# Created with SnortCenter v1.0 RC1 < http://users.pandora.be/larc/ >

var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.
0/24,205.188.5.0/24,205.188.9.0/24]
var HOME_NET [any,!177.1.0.84/32,!177.1.0.94/32]
var TELNET_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var DNS_SERVERS [177.1.0.10/32,177.1.0.19/32]
# Next variable automatic added by SnortCenter, used in some rule(s).
var EXTERNAL_NET any
#
output database: log, mysql, user=snort password=Sn0w.Strm dbname=snort
host=177.1.0.94 port=3306 sensor_name=internal detail=full
#---------------------------------DATA
SKIPS----------------------------------------

Although I've added in var HOME_NET [any,!177.1.0.84/32,!177.1.0.94/32]
these two hosts to be explicitly ignored, I've searched documentation, I've
seen an answer from Erek Adams, whatever I tried, the thing is not working.

What is missing, what I'm doing wrong?

Thank you in advance for your help,

Catalin Ghercoias
mailto:cghercoias at ...8617...




More information about the Snort-users mailing list