Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Remove Home_NET from EXTERNAL_NET any

From: DThomaz () flowserve com
Date: Wed, 3 Jul 2002 12:01:34 -0600



On Wed, 3 Jul 2002 DThomaz () flowserve com wrote:



How about removing  and address from the rule.

alert icmp $EXTERNAL_NET!172.20.11.3 any -> $HOME_NET any (msg:"MISC

Large

ICMP Packet"; dsize: >800; reference:arachnids,246;

classtype:bad-unknown;

sid:499; rev:1;)

I do not want to see alerts from 172.20.11.3, should I edit at the rule

or

at the snort.conf?
When I remove from the rule I get this error running snort

Jul  3 11:16:40 ormnm9 snort: FATAL ERROR: ERROR /etc/snort//misc.rules

(7)

=> Rule netmask (16!172.20.11.3/30) didn't x-late, WTF?



Nope.  Wrong syntax.  Have a look at:

     http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.3



From what I'm reading, your question has changed a bit.  Now you're wanting

to
'ignore' a host and/or type of traffic from that host, but no others.  If
that's correct, then have a look at this:

     http://www.theadamsfamily.net/~erek/snort/ignore.txt

If I'm on wrong...  *shrug*  Guess that would be a penalty drink[0] for me.
:)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


[0]  http://www.theadamsfamily.net/~erek/snort/drinking_game.txt


From erek () theadamsfamily net Tue Jun 18 11:40:30 2002

Date: Fri, 7 Jun 2002 11:43:18 -0700 (PDT)
From: Erek Adams <erek () theadamsfamily net>
To: Got Snort? <snort-users () lists sourceforge net>
Subject: Ignore Hosts How-To


Ok, you have two basic options on ignoring hosts:

           BPF Filters
           Pass Rules

Both ways provide you with the potential to completely _blind_ your sensor
to
all traffic.  This would be a 'Bad Thing(tm)'.

Here is a basic example of how-to ignore a host with for each method.  Are
they perfect?  No.  Want to improve and/or correct them?  Sure!  Feel free!



To ignore ICMP ECHO-REQUESTS (pings) and ICMP-ECHO REPLY's (ping reply)
from
host <foo> using BPF:

           not ( (icmp[0] = 8 or icmp[0] = 0) and host <foo> )

To ignore ALL ICMP traffic from host <foo> using a pass rule:

           pass icmp <foo> any -> $HOME_NET any

And you _MUST_ start snort with the '-o' parameter for the pass rule to
work
correctly.

Anyone else got a better rule and/or filter?

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

Erek,

If I want to use the pass rule, where do I have to add it? What is BPF?

Thanks,

David



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: