[Snort-users] Overriding alert rules with pass rules for specific cases

Kimi Ushida kimi at ...15501...
Fri May 9 13:04:24 EDT 2014


The vuln scanner runs continuously throughout the day (and night), so
unfortunately suppressing events wouldn't be an option.



On 5/9/2014 5:39 AM, Joel Esler (jesler) wrote:
> On May 9, 2014, at 12:10 AM, Kimi Ushida <kimi at ...15501...<mailto:kimi at ...15501...>> wrote:
> 
> I have a question about writing a rule which in specific cases will pass
> (not alert/drop) traffic where a VRT rule will otherwise alert on.  I'd
> like to leave the original VRT rule enabled as-is (for example, SID
> 25975, revision 2) since it's generally reliable.
> 
> However, this falses in cases where we have a vuln scanner that we'd
> like to pass through without dropping, but this scanner's source IP may
> be obfuscated (such as through NAT, etc.) and from the perspective of
> the sensor could potentially share this same source IP with actual
> malicious sources.  Therefore using BPF wouldn't work since I have no
> way of distinguishing in the IP header between good and evil clients.
> 
> I figured this is simply writing an equivalent pass rule keeping all of
> the original rule options in place, but have an additional content match
> which singles out the legitimate traffic we want to pass (for my case,
> the legit vuln scanner traffic will be seen with a unique content string
> which I can flag against).  However, I'm apparently not doing something
> right and I'm guessing this is attributed to the "fast_pattern:only;"
> part in the original VRT rule.  Perhaps I need a refresher on the
> fast-pattern matching system to understand where I'm going wrong.
> 
> 
> Sounds like what you want to do a suppression.  Perhaps only for the time when the vuln scanner is running?
> 
> --
> Joel Esler
> Open Source Manager
> Threat Intelligence Team Lead
> Vulnerability Research Team
> 





More information about the Snort-users mailing list