[Snort-users] Event Suppression between specific Source and Destination

Jeremy Hoel jthoel at ...11827...
Sat Dec 15 14:17:13 EST 2012


That's a good idea too.  I hadn't thought of using bpf for that reason.
Plus less rules.. nice.
On Dec 15, 2012 10:10 AM, "Tony Robinson" <deusexmachina667 at ...11827...>
wrote:

> If you're good with BPF syntax, snort accepts BPF filters, if you have
> enough key things to flag on, you can the BPF to make snort to ignore
> traffic meeting the characteristics causing your alert to trigger between
> these two hosts.
>
> It's not a pretty alternative, but its an alternative nonetheless.
>
> On Fri, Dec 14, 2012 at 10:06 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>
>> You could also suppress an alert between two hosts by creating a pass
>> rule.
>>
>> Also, most rules (that I can think of based on our alerts) are
>> unidirectional. So if I know some severs always get rap traffic I suppress
>> those alerts with the src or dst depending on the rule.
>>  On Dec 14, 2012 7:41 PM, "waldo kitty" <wkitty42 at ...14940...> wrote:
>>
>>> On 12/14/2012 10:44, Guido Hungerbuehler wrote:
>>> > I only agree on parts. Because if you would like to create a pass rule
>>> > for one specific rule and the two affected hosts, this would mean that
>>> I
>>> > basically have to copy the rule that triggers the event and replace
>>> > 'alert' with 'pass' and adjust the source and destination.
>>> >
>>> > But if the signature gets a new revision, the pass-rule does not get
>>> > updated. And I would have to check for changes in the rules manually.
>>>
>>> welcome to IDS Management 101 ;)
>>>
>>> but seriously, i see what you are saying but there is no other method
>>> available
>>> at this time for the way you choose to operate :?
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>> Remotely access PCs and mobile devices and provide instant support
>>> Improve your efficiency, and focus on delivering more value-add services
>>> Discover what IT Professionals Know. Rescue delivers
>>> http://p.sf.net/sfu/logmein_12329d2d
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> --
> when does reality end? when does fantasy begin?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121215/abc4e332/attachment.html>


More information about the Snort-users mailing list