|Main Archive Page > Month Archives > snort-users archives|
I'm not sure if I'm thinking about this in the "Snort" way or not, but ...
I'm receiving a lot of "RPC portmap listing TPC 111" alerts from snort running in IDS mode. We have two different NFS servers which I can attribute 99% of the alarms from (over 4,000 in less than 24 hours).
I'd like to be able to specifically ignore requests going to these two servers. I assume this is a rules update, so I tried updating this rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:13;)
Instead of $HOME_NET, I tried, [any,!IP#1, !IP#2]. It didn't seem to work as I continued to get the same RPC alarms.
Am I not thinking in the proper snort way, or is this just a syntax problem within my host list?