[Snort-users] Thresholding and suppression

Lance Boon lboon at ...11799...
Fri Oct 15 07:54:07 EDT 2004


I think I've figured out the problem, I set the var TELNET_SERVERS
$HOME_NET then setup snort to log to a tcpdump file with just sid 716
enabled and it's logging the way that I want it to now. I guess I was
misunderstanding about using the var WHATEVER_SERVERS portion. Correct
me if I'm wrong but if you specify an ip in there snort will only look
for attacks going to that specific ip address. Now if I wanted to see if
anybody was using telnet or whatever I should have that set for var
WHATEVER_SERVERS $HOME_NET? Also it looks like you are right on that
jetdirect box as well, I had to enable a telnet server on a 2003 server
to get this rule to fire. Thanks for the help..

That rule actually gets triggered upon seeing a specific response from
a Telnet server.  Your jet direct box may not be using a standard
telnet server, so it doesn't respond in a way that the rule is
expecting.

> I've run into something strange when using the threshold.conf file, if
I
> try to:
> 
> suppress gen_id 1, sig_id 716, track by_src, ip x.x.x.x
> 
> all alerts that are generated for telnet access to that specific ip
> address are suppressed as expected, but if I try to telnet to a jet
> direct box I would think that alerts should be generated for that sig
as
> the ip addressis different but I don't see any alerts generated...
> Everything else is working correctly I'm using snort 2.2/latest
> ruleset/barnyard 0.2.0. I've got my home net set to x.x.x.x/20 and var
> EXTERNAL_NET !$HOME_NET with an ip in the var TELNET_SERVERS [x.x.x.x]
> Am I just missing something?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3739 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041015/2de09236/attachment.bin>


More information about the Snort-users mailing list