[Snort-users] Rules Question

Jeff Dell jdell at ...1095...
Mon Feb 28 12:54:26 EST 2005


These rules will not stop the preprocessors, what you want to do is add
options in the portscan preprocessor to ignore from certain hosts. To remove
certain hosts all together without worrying about any of these pass rules,
just add a (Berkeley packet filter)bpf to the end of the command to start
Snort.

Example:
Snort -d -A fast -c snort.conf not (src host 192.168.1.5 and dst port 80)


Jeff

> -----Original Message-----
> From: Roy Kidder [mailto:rkidder at ...13076...] 
> Sent: Monday, February 28, 2005 3:41 PM
> To: 'Jeff Dell'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Rules Question
> 
> Even when using the -o flag, I still get alerts on many 
> things. For example,
> 
> pass udp 192.168.1.33 any -> any 161
> 
> still generates alerts for 'SNMP request udp'
> 
> and neither sfscan nor a rules like:
> 
> pass ip  192.168.1.5/32 any -> any 80
> pass tcp 192.168.1.5/32 any -> any 80
> 
> stop the '(portscan) Open Port' alerts for regular web browsing.
> 
> Anyone have any suggestions?
> 
> 
> > -----Original Message-----
> > From: Jeff Dell [mailto:jdell at ...1095...] 
> > Sent: Friday, February 25, 2005 9:04 AM
> > To: 'Roy Kidder'; snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] Rules Question
> > 
> > Check your rules order. By default it is alert -> pass -> log 
> > -> etc...
> > 
> > Try adding the flag -o to your command line options when 
> > starting snort.
> > 
> > Cheers,
> > Jeff 
> > 
> > > -----Original Message-----
> > > From: snort-users-admin at lists.sourceforge.net 
> > > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> > > Roy Kidder
> > > Sent: Friday, February 25, 2005 8:26 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] Rules Question
> > > 
> > > I'm trying to write what I expected to be a simple set rules, 
> > > but it's not
> > > working for me. They look like this:
> > > 
> > > pass udp any any <> 10.0.0.10 53
> > > pass udp any any <> 192.168.1.5 53
> > > alert udp any any <> any 53 (msg: "DNS Query";)
> > > 
> > > What I expected was to alert on any DNS queries except those 
> > > to 10.0.0.10 or
> > > to 192.168.1.5. Instead, I'm seeing alerts on everything 
> > > including those two
> > > hosts. 
> > > 
> > > Any pointers on what I did wrong?
> > > 
> > > Thanks in advance,
> > > Roy
> > > 
> > >  
> > > Roy Kidder
> > > Network Engineer
> > > Safelite Glass Corp.
> > > 
> > > 
> > > 
> > > 
> > > -------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT Products from 
> > > real users.
> > > Discover which products truly live up to the hype. Start 
> > reading now.
> > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > 
> > 
> > 
> 
> 
> 






More information about the Snort-users mailing list