[Snort-users] New User
mkettler at ...4108...
Tue Mar 1 13:16:24 EST 2005
At 07:47 AM 3/1/2005, Jerry Thompson wrote:
>1. How do I stop the alert Web-misc robots.txt access? I have search
>every rule set and cannot find the rule.
Check web-misc.rules again..
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC robots.txt access"; flow:to_server,established;
uricontent:"/robots.txt"; nocase; reference:nessus,10302;
classtype:web-application-activity; sid:1852; rev:3;)
>2. Is it possible to instruct snort to ignore entire subnets? For
>example, I would love to instruct Snort to ignore my private networks.
>Snort is monitoring my DMZ and I'm really only interested in alerts
>generated from the public side.
Probably the best thing would be to create a BPF filter for your snort
command line. They're the same format as tcpdump
snort net not 10.0.0.0/24
would ignore 10.0.0.0/24 as either a source or a destination, and packets
to or from that network will be dropped before the snort rules see them
(saves CPU time).
>Please don't beat me up for using a Windows version.
That's fine.. however, I would suggest getting yourself a copy of grep for
windows so you can use it to search all the rulefiles for a string.. I
found your rule with:
grep "robots.txt" *.rules
It may be a command line utility, but grep really is a fantastically handy
tool for stuff like this. Something based on gnu grep would work fine...
Here's one project that ported several gnu unix utility apps as a native
windows command-line programs:
More information about the Snort-users