Re: [Snort-users] New User
This is a discussion on Re: [Snort-users] New User within the Snort forums, part of the System Security and Security Related category; At 07:47 AM 3/1/2005, Jerry Thompson wrote: >1. How do I stop the alert Web-misc ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-01-2005
|
|||
|
|||
Re: [Snort-users] New User
At 07:47 AM 3/1/2005, Jerry Thompson wrote:
>1. How do I stop the alert Web-misc robots.txt access? I have search >every rule set and cannot find the rule. Check web-misc.rules again.. web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;) >2. Is it possible to instruct snort to ignore entire subnets? For >example, I would love to instruct Snort to ignore my private networks. >Snort is monitoring my DMZ and I'm really only interested in alerts >generated from the public side. Probably the best thing would be to create a BPF filter for your snort command line. They're the same format as tcpdump ie: snort net not 10.0.0.0/24 would ignore 10.0.0.0/24 as either a source or a destination, and packets to or from that network will be dropped before the snort rules see them (saves CPU time). >Please don't beat me up for using a Windows version. That's fine.. however, I would suggest getting yourself a copy of grep for windows so you can use it to search all the rulefiles for a string.. I found your rule with: grep "robots.txt" *.rules It may be a command line utility, but grep really is a fantastically handy tool for stuff like this. Something based on gnu grep would work fine... Here's one project that ported several gnu unix utility apps as a native windows command-line programs: http://unxutils.sourceforge.net/ ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
