[Snort-users] whitelist rule to 1 ip?

Morgan Cox morgancoxuk at ...11827...
Wed Mar 3 12:24:32 EST 2010


 Hi.

Thank you all for your responses.

By whitelisting I mean prevent a rule being used for an ip address, not just
the alert.

As far as I understand the suppression used in the  threshold.conf file only
prevents the alerts for the rule, the rule will still be active though (i.e
the rule will still block whatever to the IP we have suppressed) , it that
correct ? (I am running inline mode - not that it should matter)

Using an example from this thread I would want to use something like this (i
know this syntax will not work)

drop icmp $EXTERNAL_NET any -> *any except* 192.168.5.33 any (msg:"ICMP
L3retriever Ping"; icode:0; itype:8;
content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32;
reference:arachnids,311; classtype:attempted-recon; sid:466; rev:5;)

I hope this clarifies what I mean

Thanks everybody.

Once again OSS technical support beats the hell out of any companies
support.





On 3 March 2010 14:14, Joel Esler <jesler at ...1935...> wrote:

> I don't understand what you mean by whitelist.
>
> Suppression allows you to turn off alerting for a particular ip.  That's
> whitelisting. If you want to write a rule for ONLY one IP, then you can
> modify the rule header to only deal with one IP instead of a whole variable.
>
> --
> Joel Esler
> Sent from my iPhone
>
>
> On Mar 3, 2010, at 5:11 AM, Morgan Cox <morgancoxuk at ...11827...> wrote:
>
>  Hi.
>>
>> I did ask this a while ago but never got a response.
>>
>> What is the correct way of white-listing a rule for a specific IP .
>>
>> I know that your can suppress warnings of a rule to an IP using the
>> threshold file, but is thee any way to completely whitelist a rule - to 1 IP
>> only?
>>
>> Any help on this will be appreciated.
>>
>> Regards
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100303/0129c91c/attachment.html>


More information about the Snort-users mailing list