[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Exclude IP Subnets and a IP address from a Specific rule
From: Joel Esler <jesler () sourcefire ! com>
Date: 2013-08-30 15:46:04
Message-ID: EBD38F77-6DB1-46C3-940C-574C9B7C8D65 () sourcefire ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Aug 30, 2013, at 11:33 AM, Matt Brichetto <m_brichetto@cuinterface.com> wrote:
> Hello,
>
> This is a two part question for two different topics that are related to each \
> other. The first part is I am looking to see the best way to exclude a IP address \
> from a specific rule in snort. The second part is how to exclude specific external \
> subnets from being scanned as they flow into the snort box.
> My setup is running on Windows Server 2008 64 bit. I used the WinSnort.com website \
> for their guide how to install and set everything up. I am also using pulled pork \
> to auto update my rules or signatures. I am new to the Snort setup, so please bear \
> with me as I may ask silly questions. Now onto the specific scenarios I have.
> The first setup I need to do is exclude a internal IP address from this specific \
> rule below because it flows into spam filter of ours we receive a ton of alerts \
> from it that are not needed. The IP address of the device is 192.168.22.9 for a \
> our local subnet. (Rule is below)
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise \
> client IMG SRC buffer overflow"; flow:to_server,established; content:"<IMG"; \
> nocase; content:"SRC"; distance:0; nocase; isdataat:244,relative; \
> pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; metadata:policy security-ips drop, \
> service smtp; reference:bugtraq,26875; reference:cve,2007-6435; \
> classtype:attempted-user; sid:13364; rev:8;)
> Here are the two options after doing some research that I think may work, but I \
> would like to hear back from someone with experience in this. What I don't know is \
> if I edit the winids.rules file for a specific rule, will Pulled Pork just write \
> over it.
> First edit the existing rule in the winids.rules folder with a exclude "!" argument \
> so it may look like this.
> alert tcp ![192.168.41.9/24] $EXTERNAL_NET any -> $SMTP_SERVERS 25 \
> (msg:"SERVER-MAIL Novell GroupWise client IMG SRC bufferoverflow"; \
> flow:to_server,established; content:"<IMG"; nocase; content:"SRC"; distance:0; \
> nocase; isdataat:244,relative;pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; \
> metadata:policy security-ips drop, service smtp; \
> reference:bugtraq,26875;reference:cve,2007-6435; classtype:attempted-user; \
> sid:13364; rev:8;)
>
> Another thought I had was adding a pass rule above the original rule just with the \
> specific IP address in the winids.rules file. As well as taking out the \
> $External_NET argument because it is just a new rule.
>
> pass tcp [192.168.41.9/24] any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell \
> GroupWise client IMG SRC buffer overflow";flow:to_server,established; \
> content:"<IMG"; nocase; content:"SRC"; distance:0; nocase; isdataat:244,relative; \
> pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; metadata:policy security-ips drop, \
> service smtp; reference:bugtraq,26875; reference:cve,2007-6435; \
> classtype:attempted-user; sid:13364; rev:8;)
>
>
> The second setup is excluding certain external IP subnets altogether from being \
> scanned. What I want is that all the external IPs that come in still be seen but \
> have Snort ignore certain external subnets that I specify. My thought process is \
> either somehow modify the External_Net field in the Snort.conf file. I also thought \
> is there to create a local file somehow that would just exclude the specific IP \
> address I want snort to ignore.
> Through all of the reading I have done it doesn’t seem to be a defined way to do \
> this, but I cannot be the only who has needed to exclude IP addresses from certain \
> places in Snort.
> Thanks in advance for any help,
Check out Suppression:
http://manual.snort.org/node19.html#SECTION00343000000000000000
--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: \
space; -webkit-line-break: after-white-space;">On Aug 30, 2013, at 11:33 AM, Matt \
Brichetto <<a href="mailto:m_brichetto@cuinterface.com">m_brichetto@cuinterface.com</a>> \
wrote:<br><div><br class="Apple-interchange-newline"><blockquote type="cite"><div \
style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; \
font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: \
normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; \
-webkit-text-stroke-width: 0px;">Hello, <br><br>This is a two part question for \
two different topics that are related to each other. The first part is I am looking \
to see the best way to exclude a IP address from a specific rule in snort. The second \
part is how to exclude specific external subnets from being scanned as they flow into \
the snort box.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif; font-style: normal; font-variant: normal; \
font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; \
text-align: start; text-indent: 0px; text-transform: none; white-space: normal; \
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: \
0px;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif; font-style: normal; font-variant: normal; \
font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; \
text-align: start; text-indent: 0px; text-transform: none; white-space: normal; \
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">My setup is running \
on Windows Server 2008 64 bit. I used the<span \
class="Apple-converted-space"> </span><a href="http://winsnort.com/" \
style="color: purple; text-decoration: underline;">WinSnort.com</a><span \
class="Apple-converted-space"> </span>website for their guide how to install and \
set everything up. I am also using pulled pork to auto update my rules or \
signatures. I am new to the Snort setup, so please bear with me as I may \
ask silly questions. Now onto the specific scenarios I have.<o:p></o:p></div><div \
style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; \
font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: \
normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; \
-webkit-text-stroke-width: 0px;"><br>The first setup I need to do is exclude a \
internal IP address from this specific rule below because it flows into spam filter \
of ours we receive a ton of alerts from it that are not needed. The IP address \
of the device is 192.168.22.9 for a our local subnet. (Rule is below)<br><br>alert \
tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise \
client IMG SRC buffer overflow"; flow:to_server,established; content:"<IMG"; \
nocase; content:"SRC"; distance:0; nocase; isdataat:244,relative; \
pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; metadata:policy security-ips drop, \
service smtp; reference:bugtraq,26875; reference:cve,2007-6435; \
classtype:attempted-user; sid:13364; rev:8;) <br><br>Here are the two options \
after doing some research that I think may work, but I would like to hear back from \
someone with experience in this. What I don't know is if I edit the winids.rules file \
for a specific rule, will Pulled Pork just write over it. <br><br>First edit the \
existing rule in the winids.rules folder with a exclude "!" argument so it may look \
like this. <br><br>alert tcp ![192.168.41.9/24] $EXTERNAL_NET any -> \
$SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise client IMG SRC bufferoverflow"; \
flow:to_server,established; content:"<IMG"; nocase; content:"SRC"; distance:0; \
nocase; isdataat:244,relative;pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; \
metadata:policy security-ips drop, service smtp; \
reference:bugtraq,26875;reference:cve,2007-6435; classtype:attempted-user; sid:13364; \
rev:8;) <br><br><br>Another thought I had was adding a pass rule above the \
original rule just with the specific IP address in the winids.rules file. As well as \
taking out the $External_NET argument because it is just a new \
rule. <br><br><br>pass tcp [192.168.41.9/24] any -> $SMTP_SERVERS 25 \
(msg:"SERVER-MAIL Novell GroupWise client IMG SRC buffer \
overflow";flow:to_server,established; content:"<IMG"; nocase; content:"SRC"; \
distance:0; nocase; isdataat:244,relative; \
pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; metadata:policy security-ips drop, \
service smtp; reference:bugtraq,26875; reference:cve,2007-6435; \
classtype:attempted-user; sid:13364; rev:8;) <br><br><br><br>The second setup is \
excluding certain external IP subnets altogether from being scanned. What I want is \
that all the external IPs that come in still be seen but have Snort ignore certain \
external subnets that I specify. My thought process is either somehow modify the \
External_Net field in the Snort.conf file. I also thought is there to create a local \
file somehow that would just exclude the specific IP address I want snort to \
ignore.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif; font-style: normal; font-variant: normal; \
font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; \
text-align: start; text-indent: 0px; text-transform: none; white-space: normal; \
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: \
0px;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif; font-style: normal; font-variant: normal; \
font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; \
text-align: start; text-indent: 0px; text-transform: none; white-space: normal; \
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">Through all of the \
reading I have done it doesn’t seem to be a defined way to do this, but I cannot be \
the only who has needed to exclude IP addresses from certain places in \
Snort.<br><br>Thanks in advance for any help,</div></blockquote></div><br><div>Check \
out Suppression:</div><div><br></div><div><a \
href="http://manual.snort.org/node19.html#SECTION00343000000000000000">http://manual.s \
nort.org/node19.html#SECTION00343000000000000000</a></div><div><br></div><div><span \
style="font-family: 'Lucida Grande';">--</span><br><span style="font-family: 'Lucida \
Grande';"><b>Joel Esler</b></span><br><span style="font-family: 'Lucida \
Grande';">Senior Research Engineer, VRT</span><br><span style="font-family: 'Lucida \
Grande';">OpenSource Community Manager</span><br><span style="font-family: 'Lucida \
Grande';">Sourcefire</span></div></body></html>
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic