[Snort-users] Rules Question

Joel Esler jesler at ...1935...
Wed Aug 12 14:17:48 EDT 2009


You are confusing the two.  Take a look at the manual for Suppression, or
check out the README.thresholding file in the doc/ directory of the Snort
tarball.
Joel

On Wed, Aug 12, 2009 at 2:16 PM, Jacob Steinberger <
trefalgar at ...14634...> wrote:

> $HOME_NET = [172.19.0.0/16]
>
> If I add a suppression, would that still parse correctly? `[
> 172.19.0.0/16][!IP#1,!IP#2]`<http://172.19.0.0/16%5D%5B!IP#1,!IP%232%5D%60>,
> or am I confusing the 'suppression' term with negate? ;)
>
> Jacob
>
>
> Quoting Joel Esler <jesler at ...1935...>:
>
>  Why don't you leave $HOME_NET as $HOME_NET and use a suppression to tune
>> out
>> the two servers that you want to eliminate from the alert process?
>> J
>>
>> On Wed, Aug 12, 2009 at 1:24 PM, Jacob Steinberger <
>> trefalgar at ...14634...> wrote:
>>
>>  I'm not sure if I'm thinking about this in the "Snort" way or not, but
>>> ...
>>>
>>> I'm receiving a lot of "RPC portmap listing TPC 111" alerts from snort
>>> running in IDS mode. We have two different NFS servers which I can
>>> attribute 99% of the alarms from (over 4,000 in less than 24 hours).
>>>
>>> I'd like to be able to specifically ignore requests going to these two
>>> servers. I assume this is a rules update, so I tried updating this rule:
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing
>>> TCP 111"; flow:to_server,established; content:"|00 01 86 A0|";
>>> depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4;
>>> content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc;
>>> reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:13;)
>>>
>>> Instead of $HOME_NET, I tried, [any,!IP#1, !IP#2]. It didn't seem to
>>> work as I continued to get the same RPC alarms.
>>>
>>> Am I not thinking in the proper snort way, or is this just a syntax
>>> problem within my host list?
>>>
>>> Jacob
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>> -- Joel Esler | Sourcefire | Google Voice: 302-223-5974
>>
>>
>
>
>
-- Joel Esler | Sourcefire | Google Voice: 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090812/253ccb37/attachment.html>


More information about the Snort-users mailing list