Snort mailing list archives

ignore host for just a couple of rules, not all

From: Roeland Weve <roeland () office netland nl>
Date: Fri, 15 Jun 2001 09:50:48 +0200

Is it possible to exclude some hosts for only one 
or two rules?
Now I have a ignore.rules file where some rules 
are defined where I exclude some 'trusted' hosts.
But I want to define some rules that only exclude 
trusted hosts for a couple of rules.
This is handy if you get to many false positives
from a host on one rule, like the rule

IDS297/http-directory-traversal1

that gives me 400 alerts from one host, because of some thing like
this:
47 45 54 20 2F 73 65 61 72 63 68 72 65 73 75 6C   GET /searchresul
74 2F 2E 2E 2F 70 69 78 2F 6E 61 76 2F 6D 6F 5F   t/../pix/nav/mo_
30 5F 61 2E 67 69 66 20 48 54 54 50 2F 31 2E 30   0_a.gif HTTP/1.0
0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A   ..Referer: http:

I now exlude this host via:
pass tcp any any -> hostip 80

but a rule like:
pass 297,230 tcp any any -> hostip 80
would be better.
(where 297 and 230 are IDS alert numbers that must be ignored for that
host)

Idea for a new update or this already implemented?

Roeland

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ignore host for just a couple of rules, not all Roeland Weve (Jun 15)
- Re: ignore host for just a couple of rules, not all Brian Caswell (Jun 15)
- <Possible follow-ups>
- RE: ignore host for just a couple of rules, not all Piers Williams (Jun 19)