Snort mailing list archives
Re: ignore a single host
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Tue, 23 Nov 2004 09:15:24 +0000
--On 22 November 2004 12:23 -0500 Matt Kettler <mkettler () evi-inc com> wrote:
At 04:44 AM 11/21/2004, isp wrote:I have a computer which continuously gets following alert. It is because it is making lots of SNMP requests which is what it is suppose to do. How do I get snort to ignore a single host like this or just ignore this particular alert?Option 1 - pass rules create a pass rule for the host, and add -o to your snort command line so pass rules get applied first Option 2 - bpf filters pass a BPF filter on the command line that will ignore this host. See the tcpdump manpages for information on BPF syntax, as tcpdump uses the same BPF library as snort. something like "host not 1.1.1.1" should work, or "udp and src not 1.1.1.1" as a more specific version. Option 3 - comment out the rule in the rulefile. it's a bit brute force, but it works. It should be in snmp.rules. Use grep to find a rule with sid:1417. Option 4 - suppress the alert: suppress gen_id 1 , sid_id 1417 http://www.snort.org/docs/snort_manual/node12.html
Option 5 - edit the rule so that the host or hosts in question are excluded: var NOISY_SNMP_HOSTS [10.1.1.1/32,10.1.1.2/32]alert udp $EXTERNAL_NET any -> !$NOISY_SNMP_HOSTS 161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:9;)
It's probably best to do such editing using a tool such as oinkmaster.Incidentally, shouldn't this rule be using !$SNMP_SERVERS as the destination, rather than $HOME_NET?
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ignore a single host isp (Nov 22)
- Re: ignore a single host Matt Kettler (Nov 22)
- Re: ignore a single host Alex Butcher, ISC/ISYS (Nov 23)
- <Possible follow-ups>
- RE: ignore a single host Keith Pachulski (Nov 22)
- RE: ignore a single host Shnitko, Maxim {PBG} (Nov 22)
- RE: ignore a single host Shnitko, Maxim {PBG} (Nov 23)
- Re: ignore a single host Matt Kettler (Nov 22)