[Snort-users] whitelist rule to 1 ip?

Morgan Cox morgancoxuk at ...11827...
Wed Mar 3 13:15:40 EST 2010


Thank you so much for your help everybody

cheers!


On 3 March 2010 18:00, Crook, Parker <Parker_Crook at ...14786...> wrote:

>  Morgan,
>
>
>
> Suppression is actually more than just log suppression; it is event
> suppression, stopping the event from firing under the specified
> circumstance.  So this should suit your needs just fine, however if you
> wanted to, you could build your needs into the rule…
>
>
>
> create a new variable:
>
> var whitelist1 !192.168.5.33
>
>
>
> and then modify the destination in your rule to use that new variable as
> the destination:
>
>
>
> drop icmp $EXTERNAL_NET any -> $whitelist1 any (msg:"ICMP L3retriever
> Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI";
> depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466;
> rev:5;)
>
>
>
> Hope this helps,
>
> Parker
>  ------------------------------
>
> *From:* Morgan Cox [mailto:morgancoxuk at ...11827...]
> *Sent:* Wednesday, March 03, 2010 12:25 PM
>
> *To:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] whitelist rule to 1 ip?
>
>
>
>  Hi.
>
> Thank you all for your responses.
>
> By whitelisting I mean prevent a rule being used for an ip address, not
> just the alert.
>
> As far as I understand the suppression used in the  threshold.conf file
> only prevents the alerts for the rule, the rule will still be active though
> (i.e the rule will still block whatever to the IP we have suppressed) , it
> that correct ? (I am running inline mode - not that it should matter)
>
> Using an example from this thread I would want to use something like this
> (i know this syntax will not work)
>
> drop icmp $EXTERNAL_NET any -> *any except* 192.168.5.33 any (msg:"ICMP
> L3retriever Ping"; icode:0; itype:8;
> content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32;
> reference:arachnids,311; classtype:attempted-recon; sid:466; rev:5;)
>
> I hope this clarifies what I mean
>
> Thanks everybody.
>
> Once again OSS technical support beats the hell out of any companies
> support.
>
>
>
>
>  On 3 March 2010 14:14, Joel Esler <jesler at ...1935...> wrote:
>
> I don't understand what you mean by whitelist.
>
> Suppression allows you to turn off alerting for a particular ip.  That's
> whitelisting. If you want to write a rule for ONLY one IP, then you can
> modify the rule header to only deal with one IP instead of a whole variable.
>
> --
> Joel Esler
> Sent from my iPhone
>
>
>
> On Mar 3, 2010, at 5:11 AM, Morgan Cox <morgancoxuk at ...11827...> wrote:
>
>  Hi.
>
> I did ask this a while ago but never got a response.
>
> What is the correct way of white-listing a rule for a specific IP .
>
> I know that your can suppress warnings of a rule to an IP using the
> threshold file, but is thee any way to completely whitelist a rule - to 1 IP
> only?
>
> Any help on this will be appreciated.
>
> Regards
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100303/8a66f181/attachment.html>


More information about the Snort-users mailing list