[Snort-users] Filtering alerts
erek at ...950...
Tue Sep 23 07:05:12 EDT 2003
On Tue, 23 Sep 2003, Richard Brackett wrote:
> I understand what you're saying, but what about a rule I'm interested in
> like the IIS Code Red rule. I know that all my current servers are
> patched against it so the alerts I get are just noise. I'm loath to
> disable the rule though because I never know when someone might put up
> an unpatched IIS box and get it infected. So, I'd like to be able to say
> "Don't alert when you see this attack to these addresses, but please
> alert to any other address." The only way to do it with Snort seems to
> be to use pass rules, which are supposed to take more CPU cycles to
> process. The BPF rules don't help me with individual SID's, just IP's
> and protocols.
> Is there an output processing system that will filter alerts before
> sending them to mysql for ACID to look at?
Modify the rule and place it in something like 'my.rules'.
var MY_PATCHED_SERVERS [10.10.10.0/29]
alert tcp $EXTERNAL_NET any !$MY_PATCHED_SERVERS 80 <stuff>
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users