Whitelist IP for a Signature

339 views
Skip to first unread message

Agam Jain

unread,
Feb 2, 2017, 7:04:29 PM2/2/17
to security-onion
Hi Team,

Please help to whitelist a particular IP for a single signature only
Such that for Signature A, x IP could not be triggered.

Regards,
Agam

Wes

unread,
Feb 2, 2017, 8:10:39 PM2/2/17
to security-onion

Agam,

You could use modifysid.conf to modify the behavior for a specific rule, negating the IP address (as shown in the Snort rule documentation):

https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#modifysidconf

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html#SECTION00423000000000000000

Thanks,
Wes

Agam Jain

unread,
Feb 2, 2017, 9:06:29 PM2/2/17
to securit...@googlegroups.com
Hi Wes,

Can you provide me the below SID signature to apply the above info,

2809505
2809506

regards,
agam


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/F3yuynIaeos/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Wes

unread,
Feb 2, 2017, 10:03:09 PM2/2/17
to security-onion
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

Agam,

I'm not sure what rules these SIDs apply to -- they appear to be ET Pro rules, is that correct?

To find the rule, you could grep /etc/nsm/rules/downloaded.rules for the particular SID.

Again, do not hesitate to refer to the Snort manual for syntax:
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html#SECTION00423000000000000000


Thanks,
Wes

Agam Jain

unread,
Feb 3, 2017, 8:16:27 AM2/3/17
to securit...@googlegroups.com
Yes Wes these are ETPRO Rules.


2809505 - ETPRO ATTACK_RESPONSE MongoDB Database Enumeration Request
2809506 - ETPRO ATTACK_RESPONSE MongoDB Version Request

Regards,
Agam

To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Wes

unread,
Feb 4, 2017, 8:18:59 AM2/4/17
to security-onion

Agam,

I was referring to the actual rule that the content of the traffic matches on.

Ex. alert tcp $HOME_NET any - any 6667 (msg:"IRC port in use";
flow:from_client,stateless; sid:10550; rev:1;)

Thanks,
Wes

Reply all
Reply to author
Forward
0 new messages