[Snort-users] Rules Question

Jacob Steinberger trefalgar at ...14634...
Wed Aug 12 15:14:01 EDT 2009


Joel,

Worked like a charm. Thank you very much for a shove in the right direction!

suppress gen_id 1, sig_id 598, track by_dst, ip #1
suppress gen_id 1, sig_id 598, track by_dst, ip #2

Jacob

Quoting Joel Esler <jesler at ...1935...>:

> You are confusing the two.  Take a look at the manual for Suppression, or
> check out the README.thresholding file in the doc/ directory of the Snort
> tarball.
> Joel
>
> On Wed, Aug 12, 2009 at 2:16 PM, Jacob Steinberger <
> trefalgar at ...14634...> wrote:
>
>> $HOME_NET = [172.19.0.0/16]
>>
>> If I add a suppression, would that still parse correctly? `[
>> 172.19.0.0/16][!IP#1,!IP#2]`<http://172.19.0.0/16%5D%5B!IP#1,!IP%232%5D%60>,
>> or am I confusing the 'suppression' term with negate? ;)
>>
>> Jacob
>>
>>
>> Quoting Joel Esler <jesler at ...1935...>:
>>
>>  Why don't you leave $HOME_NET as $HOME_NET and use a suppression to tune
>>> out
>>> the two servers that you want to eliminate from the alert process?
>>> J
>>>
>>> On Wed, Aug 12, 2009 at 1:24 PM, Jacob Steinberger <
>>> trefalgar at ...14634...> wrote:
>>>
>>>  I'm not sure if I'm thinking about this in the "Snort" way or not, but
>>>> ...
>>>>
>>>> I'm receiving a lot of "RPC portmap listing TPC 111" alerts from snort
>>>> running in IDS mode. We have two different NFS servers which I can
>>>> attribute 99% of the alarms from (over 4,000 in less than 24 hours).
>>>>
>>>> I'd like to be able to specifically ignore requests going to these two
>>>> servers. I assume this is a rules update, so I tried updating this rule:
>>>>
>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing
>>>> TCP 111"; flow:to_server,established; content:"|00 01 86 A0|";
>>>> depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4;
>>>> content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc;
>>>> reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:13;)
>>>>
>>>> Instead of $HOME_NET, I tried, [any,!IP#1, !IP#2]. It didn't seem to
>>>> work as I continued to get the same RPC alarms.
>>>>
>>>> Am I not thinking in the proper snort way, or is this just a syntax
>>>> problem within my host list?
>>>>
>>>> Jacob
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>>> 30-Day
>>>> trial. Simplify your report design, integration and deployment - and
>>>> focus
>>>> on
>>>> what you do best, core application coding. Discover what's new with
>>>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>>
>>> -- Joel Esler | Sourcefire | Google Voice: 302-223-5974
>>>
>>>
>>
>>
>>
> -- Joel Esler | Sourcefire | Google Voice: 302-223-5974
>







More information about the Snort-users mailing list