[Snort-users] ignore a single host

Shnitko, Maxim {PBG} Maxim.Shnitko at ...12618...
Tue Nov 23 00:13:00 EST 2004


Yes you are right, but better way is to create the the new variable with
name for example "SNMP_CONSOLES" for the feauture use. And in case if you
change the ip address or add an additional PC with the same functions you
will just add the new ip address into variable field. At the present time
I'm using the 65 manually  created rules to filter the false alerts, for
example SNMP requests from CIM.

Maxim


-----Original Message-----
From: isp [mailto:isp at ...12699...] 
Sent: Tuesday, November 23, 2004 10:35 AM
To: Shnitko, Maxim {PBG}; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ignore a single host


sorry about next question but new to this.
You mean go to snmp.rules.
copy the snmp " requestion udp"  (alert udp $EXTERNAL_NET any -> $HOME_NET
161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089;
reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013;
classtype:attempted-recon; sid:1417; rev:9;)

then put that in local.rules (which is empty but loading in my snort.conf).
then change it to say:

pass udp 12.170.222.13 any -> $HOME_NET 161 (msg:"SNMP request udp";
reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon;
sid:1417; rev:9;)

then save it and reload snort?
am I reading this right?

thanks terry

----- Original Message ----- 
From: "Shnitko, Maxim {PBG}" <Maxim.Shnitko at ...12618...>
To: "'isp'" <isp at ...12699...>; <snort-users at lists.sourceforge.net>
Sent: Tuesday, November 23, 2004 12:43 AM
Subject: RE: [Snort-users] ignore a single host


> Open the signature  "SNMP request udp" save it as a new (local.rules) 
> add the new variable name with that host address, add this new 
> variable as a source address into the created signature and replace 
> the "alert" with "pass"... That is all.
>
> Regards,
> Maxim
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of isp
> Sent: Sunday, November 21, 2004 12:44 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] ignore a single host
>
>
> Can't quit figure out how to ignore a single computer.
>
> I have a computer which continuously gets following alert.  It is 
> because
it
> is making lots of SNMP requests which is what it is suppose to do.  
> How do
I
> get snort to ignore a single host like this or just ignore this 
> particular alert?
>
> thanks terry
>
>
> [**] [1:1417:9] SNMP request udp [**]
> [Classification: Attempted Information Leak] [Priority: 2] 
> 11/21-03:37:59.626234 12.170.222.13:53965 -> 12.170.222.148:161 UDP 
> TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:118 DF
> Len: 90 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013]
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012
> http://www.securityfocus.com/bid/4132]
> http://www.securityfocus.com/bid/4089]
> http://www.securityfocus.com/bid/4088]
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real 
> users. Discover which products truly live up to the hype. Start 
> reading now. http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>




More information about the Snort-users mailing list