Snort mailing list archives
RE: Filtering alerts
From: "Richard Brackett" <rbrackett () securityvolition com>
Date: Tue, 23 Sep 2003 10:09:54 -0400
Thanks man, that'll help. -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Tuesday, September 23, 2003 10:04 AM To: Richard Brackett Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Filtering alerts On Tue, 23 Sep 2003, Richard Brackett wrote:
I understand what you're saying, but what about a rule I'm interested
in
like the IIS Code Red rule. I know that all my current servers are patched against it so the alerts I get are just noise. I'm loath to disable the rule though because I never know when someone might put up an unpatched IIS box and get it infected. So, I'd like to be able to
say
"Don't alert when you see this attack to these addresses, but please alert to any other address." The only way to do it with Snort seems to be to use pass rules, which are supposed to take more CPU cycles to process. The BPF rules don't help me with individual SID's, just IP's and protocols. Is there an output processing system that will filter alerts before sending them to mysql for ACID to look at?
Modify the rule and place it in something like 'my.rules'. var MY_PATCHED_SERVERS [10.10.10.0/29] alert tcp $EXTERNAL_NET any !$MY_PATCHED_SERVERS 80 <stuff> Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Filtering alerts Richard Brackett (Sep 22)
- Re: Filtering alerts Geoff (Sep 22)
- <Possible follow-ups>
- RE: Filtering alerts Richard Brackett (Sep 22)
- RE: Filtering alerts Erek Adams (Sep 23)
- RE: Filtering alerts Richard Brackett (Sep 23)
- RE: Filtering alerts Erek Adams (Sep 23)
- RE: Filtering alerts Richard Brackett (Sep 23)
- RE: Filtering alerts Marc Quibell (Sep 23)