[Snort-users] New User

Matt Kettler mkettler at ...4108...
Tue Mar 1 13:16:24 EST 2005


At 07:47 AM 3/1/2005, Jerry Thompson wrote:
>1.  How do I stop the alert Web-misc robots.txt access?  I have search
>every rule set and cannot find the rule.

Check web-misc.rules again..

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC robots.txt access"; flow:to_server,established; 
uricontent:"/robots.txt"; nocase; reference:nessus,10302; 
classtype:web-application-activity; sid:1852; rev:3;)



>2.  Is it possible to instruct snort to ignore entire subnets?  For
>example, I would love to instruct Snort to ignore my private networks.
>Snort is monitoring my DMZ and I'm really only interested in alerts
>generated from the public side.


Probably the best thing would be to create a BPF filter for your snort 
command line. They're the same format as tcpdump

ie:
snort net not 10.0.0.0/24

would ignore 10.0.0.0/24 as either a source or a destination, and packets 
to or from that network will be dropped before the snort rules see them 
(saves CPU time).

>Please don't beat me up for using a Windows version.

That's fine.. however, I would suggest getting yourself a copy of grep for 
windows so you can use it to search all the rulefiles for a string.. I 
found your rule with:

grep "robots.txt" *.rules

It may be a command line utility, but grep really is a fantastically handy 
tool for stuff like this. Something based on gnu grep would work fine...

Here's one project that ported several gnu unix utility apps as a native 
windows command-line programs:
http://unxutils.sourceforge.net/






More information about the Snort-users mailing list