rgbcof
asked on
Snort, Modify snort rule "WEB-CGI finger access" to ignore destination IP
How do I change the snort rule to ignore when destination IP (e.g. desIP is 10.11.12.13)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flow:to_server,established ; uricontent:"/finger"; nocase; metadata:service http; reference:arachnids,221; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flow:to_server,established
Hello,
First find snort attack id number for this attack.
Please open the threshold.conf file. and goto last line and
suppress gen_id 122, sig_id 27, track by_src, ip 192.168.1.0/24
(gen id 122 and signature id 27 not collect from the 192.168.1.0/24 network)
14.09.jpg
First find snort attack id number for this attack.
Please open the threshold.conf file. and goto last line and
suppress gen_id 122, sig_id 27, track by_src, ip 192.168.1.0/24
(gen id 122 and signature id 27 not collect from the 192.168.1.0/24 network)
14.09.jpg
ASKER
How do you modify the SNORT rule?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great, thanks for the lead.
ASKER
Source IP Dest IP Port
10.11.11.11 10.11.12.13 80 Snort WEB-CGI finger access
So I want this SNORT rule to ignore when DestIP is 0.11.12.13