| Main Archive Page > Month Archives > snort-users archives |
[Snort-users] Rules Question
From: Jacob Steinberger <trefalgar_at_nospam>Date: Wed Aug 12 2009 - 17:24:30 GMT
To: snort-users@lists.sourceforge.net
I'm not sure if I'm thinking about this in the "Snort" way or not, but ...
I'm receiving a lot of "RPC portmap listing TPC 111" alerts from snort running in IDS mode. We have two different NFS servers which I can attribute 99% of the alarms from (over 4,000 in less than 24 hours).
I'd like to be able to specifically ignore requests going to these two servers. I assume this is a rules update, so I tried updating this rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:13;)
Instead of $HOME_NET, I tried, [any,!IP#1, !IP#2]. It didn't seem to work as I continued to get the same RPC alarms.
Am I not thinking in the proper snort way, or is this just a syntax problem within my host list?
Jacob
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users