[Snort-users] whitelist rule to 1 ip?

Crook, Parker Parker_Crook at ...14786...
Wed Mar 3 13:00:09 EST 2010


Morgan,



Suppression is actually more than just log suppression; it is event suppression, stopping the event from firing under the specified circumstance.  So this should suit your needs just fine, however if you wanted to, you could build your needs into the rule...



create a new variable:

var whitelist1 !192.168.5.33



and then modify the destination in your rule to use that new variable as the destination:



drop icmp $EXTERNAL_NET any -> $whitelist1 any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:5;)



Hope this helps,

Parker

  _____

From: Morgan Cox [mailto:morgancoxuk at ...11827...]
Sent: Wednesday, March 03, 2010 12:25 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] whitelist rule to 1 ip?



 Hi.

Thank you all for your responses.

By whitelisting I mean prevent a rule being used for an ip address, not just the alert.

As far as I understand the suppression used in the  threshold.conf file only prevents the alerts for the rule, the rule will still be active though (i.e the rule will still block whatever to the IP we have suppressed) , it that correct ? (I am running inline mode - not that it should matter)

Using an example from this thread I would want to use something like this (i know this syntax will not work)

drop icmp $EXTERNAL_NET any -> *any except* 192.168.5.33 any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:5;)

I hope this clarifies what I mean

Thanks everybody.

Once again OSS technical support beats the hell out of any companies support.






On 3 March 2010 14:14, Joel Esler <jesler at ...1935...<mailto:jesler at ...14182.....>> wrote:

I don't understand what you mean by whitelist.

Suppression allows you to turn off alerting for a particular ip.  That's whitelisting. If you want to write a rule for ONLY one IP, then you can modify the rule header to only deal with one IP instead of a whole variable.

--
Joel Esler
Sent from my iPhone



On Mar 3, 2010, at 5:11 AM, Morgan Cox <morgancoxuk at ...11827...<mailto:morgancoxuk at ...11827...>> wrote:

Hi.

I did ask this a while ago but never got a response.

What is the correct way of white-listing a rule for a specific IP .

I know that your can suppress warnings of a rule to an IP using the threshold file, but is thee any way to completely whitelist a rule - to 1 IP only?

Any help on this will be appreciated.

Regards

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100303/18649911/attachment.html>


More information about the Snort-users mailing list