[Snort-users] ignore a single host

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Tue Nov 23 01:16:13 EST 2004


--On 22 November 2004 12:23 -0500 Matt Kettler <mkettler at ...4108...> wrote:

> At 04:44 AM 11/21/2004, isp wrote:
>> I have a computer which continuously gets following alert.  It is
>> because it is making lots of SNMP requests which is what it is suppose
>> to do.  How do I get snort to ignore a single host like this or just
>> ignore this particular alert?
>
> Option 1 - pass rules
>          create a pass rule for the host, and add -o to your snort
> command line so pass rules get applied first
>
> Option 2 - bpf filters
>          pass a BPF filter on the command line that will ignore this
> host. See the tcpdump manpages for information on BPF syntax, as tcpdump
> uses the same BPF library as snort. something like "host not 1.1.1.1"
> should work, or "udp and src not 1.1.1.1" as a more specific version.
>
> Option 3 - comment out the rule in the rulefile.
>          it's a bit brute force, but it works. It should be in
> snmp.rules. Use grep to find a rule with sid:1417.
>
> Option 4 - suppress the alert:
>          suppress gen_id 1 , sid_id 1417
>
> http://www.snort.org/docs/snort_manual/node12.html

Option 5 - edit the rule so that the host or hosts in question are excluded:

var NOISY_SNMP_HOSTS [10.1.1.1/32,10.1.1.2/32]

alert udp $EXTERNAL_NET any -> !$NOISY_SNMP_HOSTS 161 (msg:"SNMP request 
udp"; reference:bugtraq,4088; reference:bugtraq,4089; 
reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; 
classtype:attempted-recon; sid:1417; rev:9;)

It's probably best to do such editing using a tool such as oinkmaster.

Incidentally, shouldn't this rule be using !$SNMP_SERVERS as the 
destination, rather than $HOME_NET?

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list