?
Solved

Snort, Modify snort rule "WEB-CGI finger access" to ignore destination IP

Posted on 2010-09-14
5
Medium Priority
?
1,159 Views
Last Modified: 2013-11-16
How do I change the snort rule to ignore when destination IP (e.g. desIP is 10.11.12.13)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flow:to_server,established; uricontent:"/finger"; nocase; metadata:service http; reference:arachnids,221; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:8;)
0
Comment
Question by:rgbcof
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Author Comment

by:rgbcof
ID: 33674300
More info on the question:
Source IP          Dest IP           Port
10.11.11.11      10.11.12.13      80         Snort         WEB-CGI finger access

So I want this SNORT rule to ignore when DestIP is 0.11.12.13
0
 
LVL 3

Expert Comment

by:gorhon
ID: 33674310
Hello,

First find snort attack id number for this attack.

Please open the threshold.conf file. and goto last line and

suppress gen_id 122, sig_id 27, track by_src, ip 192.168.1.0/24

(gen id 122 and signature id 27 not collect from the 192.168.1.0/24 network)




14.09.jpg
0
 

Author Comment

by:rgbcof
ID: 33674377
How do you modify the SNORT rule?
0
 
LVL 3

Accepted Solution

by:
gorhon earned 500 total points
ID: 33674450
Sorry, this your rule. But how change rules? Many many hardwork. Good luck.

suppress gen_id xxxx, sig_id yyy, track by_dst, ip 10.11.12.13/32


0
 

Author Closing Comment

by:rgbcof
ID: 33674844
Great, thanks for the lead.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question