Snort mailing list archives
FW: Rule to exclude a specific IP in Snort
From: "grant" <grant () macaulayconsultants co uk>
Date: Thu, 16 Oct 2003 12:34:05 +0100
I am trying to create an exclusion list for multiply machines and rules. I have created a file called whiteSRC.txt and included this in my snort.conf, I can get it to work with one machine. I am having difficulty with multiply entries. Is there any information or documentation I can get anywhere? suppress gen_id 1, sig_id 409, track by_src, ip 172.30.234.56 This line works fine! suppress gen_id 2, sig_id 1419, track by_dst, ip 172.28.71.60 Is this right? I made this up!! Thanks Grant Macaulay Hey Chris, What does the different part of that instruction mean?: suppress gen_id 1, <-- what does this mean? sig_id 527, track by_src, <-- And this? ip 192.168.10.37 Thanks Juan M. Rivera Rivera IT Director American University of P.R. -----Original Message----- From: Chris Green [mailto:cmg () sourcefire com] Sent: Thursday, October 09, 2003 9:28 AM To: Juan M. Rivera Cc: Snort Users List Subject: Re: [Snort-users] Rule to exclude a specific IP in Snort "Juan M. Rivera" <jrivera () aupr edu> writes:
I'm trying to modify the following Snort Rule: Alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:4;) I'm getting an alert on just one ip address and I know what the problem
is.
So I'm trying to modify this rule so that it takes into account any
internal
ip address except 192.168.10.37.
Don't bother with changing the rule anymore for handling that case. suppress gen_id 1, sig_id 527, track by_src, ip 192.168.10.37 in snort 2.0.2. -- Chris Green <cmg () sourcefire com> Warning: time of day goes back, taking countermeasures. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users N�HY隊X���'���u��w�+�m�$>� ������xZ+��,��/z���M��Ң��x����-�'���z�e{h���B�5��/�כz�^�ǫ�'�)brH^��m������q����z�캚h���iJz+���ɚ�X��X��)��۬z�%��l���q����zѨ��a��.����z���m��좻����r��zm����+-��.�ǟ�����+-��b�ا~�잊��ǫ�)��۬z�%��Z��b��m���� z�+k ^��&������w�+-
Current thread:
- Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- EXTERNAL_NET definition in Snort Jukka Juslin (Oct 09)
- Re: EXTERNAL_NET definition in Snort Erek Adams (Oct 09)
- Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
- RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
- RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 14)
- RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- <Possible follow-ups>
- RE: Rule to exclude a specific IP in Snort Hutchinson, Andrew (Oct 09)
- RE: Rule to exclude a specific IP in Snort Jason (Oct 09)
- RE: Rule to exclude a specific IP in Snort Grime, Richard S (Oct 09)
- FW: Rule to exclude a specific IP in Snort grant (Oct 16)
- Re: FW: Rule to exclude a specific IP in Snort Erek Adams (Oct 16)
- Re: Rule to exclude a specific IP in Snort Nordwall, Douglas J (Oct 20)
- EXTERNAL_NET definition in Snort Jukka Juslin (Oct 09)