[Snort-users] ignore a single host
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Tue Nov 23 01:16:13 EST 2004
--On 22 November 2004 12:23 -0500 Matt Kettler <mkettler at ...4108...> wrote:
> At 04:44 AM 11/21/2004, isp wrote:
>> I have a computer which continuously gets following alert. It is
>> because it is making lots of SNMP requests which is what it is suppose
>> to do. How do I get snort to ignore a single host like this or just
>> ignore this particular alert?
> Option 1 - pass rules
> create a pass rule for the host, and add -o to your snort
> command line so pass rules get applied first
> Option 2 - bpf filters
> pass a BPF filter on the command line that will ignore this
> host. See the tcpdump manpages for information on BPF syntax, as tcpdump
> uses the same BPF library as snort. something like "host not 188.8.131.52"
> should work, or "udp and src not 184.108.40.206" as a more specific version.
> Option 3 - comment out the rule in the rulefile.
> it's a bit brute force, but it works. It should be in
> snmp.rules. Use grep to find a rule with sid:1417.
> Option 4 - suppress the alert:
> suppress gen_id 1 , sid_id 1417
Option 5 - edit the rule so that the host or hosts in question are excluded:
var NOISY_SNMP_HOSTS [10.1.1.1/32,10.1.1.2/32]
alert udp $EXTERNAL_NET any -> !$NOISY_SNMP_HOSTS 161 (msg:"SNMP request
udp"; reference:bugtraq,4088; reference:bugtraq,4089;
reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013;
classtype:attempted-recon; sid:1417; rev:9;)
It's probably best to do such editing using a tool such as oinkmaster.
Incidentally, shouldn't this rule be using !$SNMP_SERVERS as the
destination, rather than $HOME_NET?
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users