The snort rule
Code:
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:9;)
is picking up far too many alerts from one of the servers on the companies network, i have talked to the owner and he said it is normal traffic. THe point is i need to modify to rule to pass these type of alerts from 1 ip address on the network.
How would i go about doing this?