Snort mailing list archives

RE: Rule to exclude a specific IP in Snort

From: "Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu>
Date: Thu, 9 Oct 2003 07:50:48 -0500

Snort FAQ, Section 3.9

3.9 How do I ignore traffic coming from a particular host or hosts?

There are two basic ways to ignore traffic from a host:

  * Pass Rules
  * BPF Filters

Details:

1.  Pass Rules:
      + Advantages:

        Gives you rule based control over the packets.

        Puts all your changes into 'one place'-snort.conf.
      + Disadvantages:

        Reverses the Rule order, can cause some headaches in tracking
down
        problems.

        One poorly written pass rule can 'blind' your whole network.

        The more specific the pass rule is, the more CPU snort needs to
process
        it which may be important on loaded nets.
      + Example:

        For example to ignore ALL ICMP traffic from host <foo> using a
pass
        rule:

            pass icmp <foo> any -> $HOME_NET any

2.  BPF Filters:

      + Advantages:

        Drops the packet at the BPF interface, which saves on
processing.

        Speeds up Snort since it 'never sees' those packets.
      + Disadvantages:

        Poorly constructed filters can 'blind-side' you.
      + Example:

        To ignore all traffic from 192.168.0.1:

            snort <commandline options> not host 192.168.0.1

        To ignore all ICMP ECHO-REQUESTS (pings) and ICMP-ECHO REPLY's
(ping
        reply) from host <foo>:

            snort <options> ``not ( (icmp[0] = 8 or icmp[0] = 0) and
host <foo>
            )''

**********

That'll ignore everything from that IP.  If you want to pass just on
that rule, I'd create a pass rule for that specific IP address and then
make sure that you start snort with the '-o' switch to process pass
rules first (before alert rules).  Like this:

alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST";
sameip;reference:cve,CVE-1999-0016;reference:url,www.cert.org/advisories
/CA-1997-28.html;classtype:bad-unknown; sid:527; rev:4;)

pass ip 192.168.10.37 any -> any any (msg:"BAD-TRAFFIC same SCR/DST";
sameip;reference:cve,CVE-1999-0016;reference:url,www.cert.org/advisories
/CA-1997-28.html;classtype:bad-unknown; sid:527; rev:4;)

Then start snort with the -o so that it'll pass on the 192.168.10.37 ->
192.168.10.37 traffic before alerting on other traffic.




Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856

-----Original Message-----
From: Juan M. Rivera [mailto:jrivera () aupr edu] 
Sent: Thursday, October 09, 2003 7:20 AM
To: Snort Users List
Subject: [Snort-users] Rule to exclude a specific IP in Snort


I'm trying to modify the following Snort Rule:

Alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST"; sameip;
reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:4;)

I'm getting an alert on just one ip address and I know what 
the problem is.
So I'm trying to modify this rule so that it takes into 
account any internal
ip address except 192.168.10.37.

Hoe do I modify the rule?


Juan M. Rivera Rivera
IT Director
American University of P.R.




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- EXTERNAL_NET definition in Snort Jukka Juslin (Oct 09)
  - Re: EXTERNAL_NET definition in Snort Erek Adams (Oct 09)
- Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
  - RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
    - Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
  - RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 14)
- <Possible follow-ups>
- RE: Rule to exclude a specific IP in Snort Hutchinson, Andrew (Oct 09)
  - RE: Rule to exclude a specific IP in Snort Jason (Oct 09)
- RE: Rule to exclude a specific IP in Snort Grime, Richard S (Oct 09)
- FW: Rule to exclude a specific IP in Snort grant (Oct 16)
  - Re: FW: Rule to exclude a specific IP in Snort Erek Adams (Oct 16)
- Re: Rule to exclude a specific IP in Snort Nordwall, Douglas J (Oct 20)