Solved

Snort, Modify snort rule "WEB-CGI finger access" to ignore destination IP

Posted on 2010-09-14
5
1,095 Views
Last Modified: 2013-11-16
How do I change the snort rule to ignore when destination IP (e.g. desIP is 10.11.12.13)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flow:to_server,established; uricontent:"/finger"; nocase; metadata:service http; reference:arachnids,221; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:8;)
0
Comment
Question by:rgbcof
  • 3
  • 2
5 Comments
 

Author Comment

by:rgbcof
ID: 33674300
More info on the question:
Source IP          Dest IP           Port
10.11.11.11      10.11.12.13      80         Snort         WEB-CGI finger access

So I want this SNORT rule to ignore when DestIP is 0.11.12.13
0
 
LVL 3

Expert Comment

by:gorhon
ID: 33674310
Hello,

First find snort attack id number for this attack.

Please open the threshold.conf file. and goto last line and

suppress gen_id 122, sig_id 27, track by_src, ip 192.168.1.0/24

(gen id 122 and signature id 27 not collect from the 192.168.1.0/24 network)




14.09.jpg
0
 

Author Comment

by:rgbcof
ID: 33674377
How do you modify the SNORT rule?
0
 
LVL 3

Accepted Solution

by:
gorhon earned 125 total points
ID: 33674450
Sorry, this your rule. But how change rules? Many many hardwork. Good luck.

suppress gen_id xxxx, sig_id yyy, track by_dst, ip 10.11.12.13/32


0
 

Author Closing Comment

by:rgbcof
ID: 33674844
Great, thanks for the lead.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now