Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 194
  • Last Modified:

SNORT and ignoring hosts

Can't quit figure out how to ignore a single computer.

I have a computer which continuously gets following alert.  It is because it
is making lots of SNMP requests which is what it is suppose to do.  How do I
get snort to ignore a single host like this or just ignore this particular
alert?

thanks terry


[**] [1:1417:9] SNMP request udp [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/21-03:37:59.626234 12.170.222.13:53965 -> 12.170.222.148:161
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:118 DF
Len: 90
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012
http://www.securityfocus.com/bid/4132]
http://www.securityfocus.com/bid/4089]
http://www.securityfocus.com/bid/4088]
0
techbnjcomp
Asked:
techbnjcomp
1 Solution
 
wesly_chenCommented:
Hi,

   Did you try:
# snort <args> not \( host <ip> \)

Wesly

0
 
techbnjcompAuthor Commented:
I tried

snort -D -c ..\etc\snort.conf   not host 12.170.222.13

but that did not seem to work
0
 
chris_calabreseCommented:
The easiest way is to either modify the rule in question or write an "override" rule.

And the easiest way to maintain such local rules is with oinkmaster (http://sourceforge.net/projects/oinkmaster/). The docs talk about how to write such rules too.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now