[Snort-users] Filtering alerts

Richard Brackett rbrackett at ...10146...
Tue Sep 23 07:10:15 EDT 2003


Thanks man, that'll help. 

-----Original Message-----
From: Erek Adams [mailto:erek at ...950...] 
Sent: Tuesday, September 23, 2003 10:04 AM
To: Richard Brackett
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Filtering alerts

On Tue, 23 Sep 2003, Richard Brackett wrote:

> I understand what you're saying, but what about a rule I'm interested
in
> like the IIS Code Red rule. I know that all my current servers are
> patched against it so the alerts I get are just noise. I'm loath to
> disable the rule though because I never know when someone might put up
> an unpatched IIS box and get it infected. So, I'd like to be able to
say
> "Don't alert when you see this attack to these addresses, but please
> alert to any other address." The only way to do it with Snort seems to
> be to use pass rules, which are supposed to take more CPU cycles to
> process. The BPF rules don't help me with individual SID's, just IP's
> and protocols.
>
> Is there an output processing system that will filter alerts before
> sending them to mysql for ACID to look at?

Modify the rule and place it in something like 'my.rules'.

	var MY_PATCHED_SERVERS [10.10.10.0/29]

	alert tcp $EXTERNAL_NET any !$MY_PATCHED_SERVERS 80 <stuff>

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list