[Snort-users] Customizing snort rules

AJ Butcher, Information Systems and Computing Alex.Butcher at ...11254...
Tue Apr 6 04:00:02 EDT 2004


--On 06 April 2004 14:29 +0530 simonkc at ...11578... wrote:

> Hi,
>
> Can anyone point me in the direction of any document explaining how to
> customize snort rules.
> I have a situation wherein the Snort IDS is alerting even for normal SNMP
> requests and traps. How do it disable these alerts for only specific SNMP
> management stations but keep the SNMP rule turned on??

Something like this:

var SNMP_MGMT_STATIONS [10.1.1.2/32,192.168.31.5/32,10.10.10.0/24]

[...]

comment out the affected rules and copy them, replacing the source mask 
(probably $EXTERNAL_NET) with !SNMP_MGMT_STATIONS (i.e. anything but your 
designated SNMP management stations).

> Thanks and Regards
> Simon

HTH,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list