[Snort-users] Rules Question

Jacob Steinberger trefalgar at ...14634...
Wed Aug 12 14:16:41 EDT 2009


$HOME_NET = [172.19.0.0/16]

If I add a suppression, would that still parse correctly?  
`[172.19.0.0/16][!IP#1,!IP#2]`, or am I confusing the 'suppression'  
term with negate? ;)

Jacob

Quoting Joel Esler <jesler at ...1935...>:

> Why don't you leave $HOME_NET as $HOME_NET and use a suppression to tune out
> the two servers that you want to eliminate from the alert process?
> J
>
> On Wed, Aug 12, 2009 at 1:24 PM, Jacob Steinberger <
> trefalgar at ...14634...> wrote:
>
>> I'm not sure if I'm thinking about this in the "Snort" way or not, but ...
>>
>> I'm receiving a lot of "RPC portmap listing TPC 111" alerts from snort
>> running in IDS mode. We have two different NFS servers which I can
>> attribute 99% of the alarms from (over 4,000 in less than 24 hours).
>>
>> I'd like to be able to specifically ignore requests going to these two
>> servers. I assume this is a rules update, so I tried updating this rule:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing
>> TCP 111"; flow:to_server,established; content:"|00 01 86 A0|";
>> depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4;
>> content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc;
>> reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:13;)
>>
>> Instead of $HOME_NET, I tried, [any,!IP#1, !IP#2]. It didn't seem to
>> work as I continued to get the same RPC alarms.
>>
>> Am I not thinking in the proper snort way, or is this just a syntax
>> problem within my host list?
>>
>> Jacob
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> -- Joel Esler | Sourcefire | Google Voice: 302-223-5974
>







More information about the Snort-users mailing list