[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1172
  • Last Modified:

Snort, Modify snort rule "WEB-CGI finger access" to ignore destination IP

How do I change the snort rule to ignore when destination IP (e.g. desIP is 10.11.12.13)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flow:to_server,established; uricontent:"/finger"; nocase; metadata:service http; reference:arachnids,221; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:8;)
0
rgbcof
Asked:
rgbcof
  • 3
  • 2
1 Solution
 
rgbcofAuthor Commented:
More info on the question:
Source IP          Dest IP           Port
10.11.11.11      10.11.12.13      80         Snort         WEB-CGI finger access

So I want this SNORT rule to ignore when DestIP is 0.11.12.13
0
 
gorhonCommented:
Hello,

First find snort attack id number for this attack.

Please open the threshold.conf file. and goto last line and

suppress gen_id 122, sig_id 27, track by_src, ip 192.168.1.0/24

(gen id 122 and signature id 27 not collect from the 192.168.1.0/24 network)




14.09.jpg
0
 
rgbcofAuthor Commented:
How do you modify the SNORT rule?
0
 
gorhonCommented:
Sorry, this your rule. But how change rules? Many many hardwork. Good luck.

suppress gen_id xxxx, sig_id yyy, track by_dst, ip 10.11.12.13/32


0
 
rgbcofAuthor Commented:
Great, thanks for the lead.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now