[Snort-users] Filtering alerts
rbrackett at ...10146...
Tue Sep 23 07:10:15 EDT 2003
Thanks man, that'll help.
From: Erek Adams [mailto:erek at ...950...]
Sent: Tuesday, September 23, 2003 10:04 AM
To: Richard Brackett
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Filtering alerts
On Tue, 23 Sep 2003, Richard Brackett wrote:
> I understand what you're saying, but what about a rule I'm interested
> like the IIS Code Red rule. I know that all my current servers are
> patched against it so the alerts I get are just noise. I'm loath to
> disable the rule though because I never know when someone might put up
> an unpatched IIS box and get it infected. So, I'd like to be able to
> "Don't alert when you see this attack to these addresses, but please
> alert to any other address." The only way to do it with Snort seems to
> be to use pass rules, which are supposed to take more CPU cycles to
> process. The BPF rules don't help me with individual SID's, just IP's
> and protocols.
> Is there an output processing system that will filter alerts before
> sending them to mysql for ACID to look at?
Modify the rule and place it in something like 'my.rules'.
var MY_PATCHED_SERVERS [10.10.10.0/29]
alert tcp $EXTERNAL_NET any !$MY_PATCHED_SERVERS 80 <stuff>
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users