[Snort-users] Filtering alerts

Marc Quibell mquibell at ...7759...
Tue Sep 23 13:47:25 EDT 2003



Huh? well, that's different, but you have to keep updating it with patched
systems, overwritten patches...etc. I have an idea, how about looking at the
outgoing packets for (in this case) Code Red packets? This way, you'll know for
sure you have an infected machine. After all, you don't care about the attempts
coming in, because you really don't know if your servers are infected or hacked!
So then the rule would look like this:

     alert tcp $INTERNAL_NET any -> EXTERNAL_NET 80 <code red schtuff>

Marc

"Nothing clever to say"


>Message: 3
>Date: Tue, 23 Sep 2003 10:04:01 -0400 (EDT)
>From: Erek Adams <erek at ...950...>
>To: Richard Brackett <rbrackett at ...10146...>
>cc: snort-users at lists.sourceforge.net
>Subject: RE: [Snort-users] Filtering alerts

>On Tue, 23 Sep 2003, Richard Brackett wrote:

>> I understand what you're saying, but what about a rule I'm interested in
>> like the IIS Code Red rule. I know that all my current servers are
>> patched against it so the alerts I get are just noise. I'm loath to
>> disable the rule though because I never know when someone might put up
>> an unpatched IIS box and get it infected. So, I'd like to be able to say
>> "Don't alert when you see this attack to these addresses, but please
>> alert to any other address." The only way to do it with Snort seems to
>> be to use pass rules, which are supposed to take more CPU cycles to
>> process. The BPF rules don't help me with individual SID's, just IP's
>> and protocols.
>>
>> Is there an output processing system that will filter alerts before
>> sending them to mysql for ACID to look at?

>Modify the rule and place it in something like 'my.rules'.

>    var MY_PATCHED_SERVERS [10.10.10.0/29]

>    alert tcp $EXTERNAL_NET any !$MY_PATCHED_SERVERS 80 <stuff>

>Cheers!

>-----
>Erek Adams

>   "When things get weird, the weird turn pro."   H.S. Thompson






More information about the Snort-users mailing list