LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-15-2004, 08:16 AM   #1
PixelCloud
LQ Newbie
 
Registered: Aug 2003
Distribution: Redhat WS 3.0
Posts: 15

Rep: Reputation: 0
Help with my snort rule set


The snort rule

Code:
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:9;)
is picking up far too many alerts from one of the servers on the companies network, i have talked to the owner and he said it is normal traffic. THe point is i need to modify to rule to pass these type of alerts from 1 ip address on the network.


How would i go about doing this?
 
Old 07-17-2004, 01:35 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Checkout the Snort FAQ section 3.9. There are basically two ways to so this. Add a Pass rule or BPF. Pass rules are easy to write, but you then have to reverse the order that snort processes rules (you'll have to have snort read pass rules first). BPFs are easy to implement, but the syntax different.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
W32/Sober-B worm snort rule????? netmon Linux - Security 1 12-18-2003 02:57 PM
snort fails at startup due to rule zuessh Linux - Security 2 12-06-2003 08:49 AM
snort rule update script netmon Linux - General 1 10-03-2003 06:31 PM
Snort, P2P rule and 1432 Alert.... shelby Linux - Security 1 06-20-2003 02:10 PM
Snort, test rule, XST unSpawn Linux - Security 0 01-22-2003 06:53 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration