[Snort-users] Whitelisting

Jeremy Hoel jthoel at ...11827...
Thu Feb 7 11:38:54 EST 2013


You could do a BPF filter to have snort ignore the traffic (The bpf
file is referenced in the command line options) , or you could
whitelist (threshold) certain alerts via source or destination (using
threshold.conf). You could also write pass rules for certain alerts,
changing the IP's to make sure that specific traffic doesn't alert
(copy the alert to local.rules, change alert to pass and change the IP
variables).

Lots of options.


On Thu, Feb 7, 2013 at 4:25 PM, Erik D. Sciortino <ESciortino at ...16078...> wrote:
> Good Morning All,
>
>
>
> I want to start tuning my Snort install so I can cut down on some of the
> chatter currently being seen in the logs. I would like to use whitelisting
> to help eliminate some of the legitimate server traffic chatter that I am
> seeing in Snort. Can I create a Whitelist rule for a specific
> system-to-system interaction (i.e. the IP traffic going between my BlueCoat
> ProxySG and ProxyAV) or do whitelist rules only work based on Source IP
> (i.e. I could whitelist the IP address of my ProxySG only). If it is
> possible to create a whitelist rule for system-to-system interaction, would
> it be possible for someone to provide me with some sample nomenclature that
> I could follow?
>
>
>
> Thanks in advance!
>
>
>
> Erik
>
>
>
> Erik D. Sciortino, CISSP, CISM, CIPP
>
> Director of Data Security
>
>
>
> American Board of Internal Medicine
>
> 510 Walnut Street | Suite 1700 | Philadelphia, PA 19106
>
> P: 215.446.3525 | C: 215.847.2207 | E: esciortino at ...16078...
>
> www.ABIM.org
>
> P Save Paper - Do you really need to print this e-mail?
>
>
>
>
>
> ________________________________
> CONFIDENTIALITY NOTICE: This message and any attachments may contain
> confidential or proprietary information and are only for the use of the
> intended recipient(s) named above. If you are not the intended recipient or
> an agent responsible for delivering it to the intended recipient, please
> notify us immediately by replying to this email and delete or destroy the
> original and all copies thereof. Any unauthorized disclosure, use,
> distribution, or reproduction of this message or any attachments is
> prohibited and may be unlawful.
> ________________________________
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list