[Snort-users] Event Suppression between specific Source and Destination

Tony Robinson deusexmachina667 at ...11827...
Sat Dec 15 12:10:59 EST 2012


If you're good with BPF syntax, snort accepts BPF filters, if you have
enough key things to flag on, you can the BPF to make snort to ignore
traffic meeting the characteristics causing your alert to trigger between
these two hosts.

It's not a pretty alternative, but its an alternative nonetheless.

On Fri, Dec 14, 2012 at 10:06 PM, Jeremy Hoel <jthoel at ...11827...> wrote:

> You could also suppress an alert between two hosts by creating a pass
> rule.
>
> Also, most rules (that I can think of based on our alerts) are
> unidirectional. So if I know some severs always get rap traffic I suppress
> those alerts with the src or dst depending on the rule.
> On Dec 14, 2012 7:41 PM, "waldo kitty" <wkitty42 at ...14940...> wrote:
>
>> On 12/14/2012 10:44, Guido Hungerbuehler wrote:
>> > I only agree on parts. Because if you would like to create a pass rule
>> > for one specific rule and the two affected hosts, this would mean that I
>> > basically have to copy the rule that triggers the event and replace
>> > 'alert' with 'pass' and adjust the source and destination.
>> >
>> > But if the signature gets a new revision, the pass-rule does not get
>> > updated. And I would have to check for changes in the rules manually.
>>
>> welcome to IDS Management 101 ;)
>>
>> but seriously, i see what you are saying but there is no other method
>> available
>> at this time for the way you choose to operate :?
>>
>>
>> ------------------------------------------------------------------------------
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121215/599d8d7a/attachment.html>


More information about the Snort-users mailing list