[Snort-users] Rules Question
trefalgar at ...14634...
Wed Aug 12 13:24:30 EDT 2009
I'm not sure if I'm thinking about this in the "Snort" way or not, but ...
I'm receiving a lot of "RPC portmap listing TPC 111" alerts from snort
running in IDS mode. We have two different NFS servers which I can
attribute 99% of the alarms from (over 4,000 in less than 24 hours).
I'd like to be able to specifically ignore requests going to these two
servers. I assume this is a rules update, so I tried updating this rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing
TCP 111"; flow:to_server,established; content:"|00 01 86 A0|";
depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4;
content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc;
reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:13;)
Instead of $HOME_NET, I tried, [any,!IP#1, !IP#2]. It didn't seem to
work as I continued to get the same RPC alarms.
Am I not thinking in the proper snort way, or is this just a syntax
problem within my host list?
More information about the Snort-users