How to exclude IP After enabling all default Snort Rules

[Yang Jae]

Today I helped for IDS from Enabling all default Snort Rules post.

sudo vi /etc/nsm/pulledpork/enablesid.conf
add in the file => pcre:alert
sudo /usr/bin/rule-update
sudo service nsm restart

so snorby is more active than before.

Thanks


Anyway, I have a question.

How can I exclude our IP for snorby no alret for company IP?

Please help in detail.


Thanks

[Doug Burks]

Hi Yang,

Replies inline.

On Wed, Jun 24, 2015 at 10:32 PM, Yang Jae <rem...@gmail.com> wrote:
> Today I helped for IDS from Enabling all default Snort Rules post.
>
> sudo vi /etc/nsm/pulledpork/enablesid.conf
> add in the file => pcre:alert
> sudo /usr/bin/rule-update
> sudo service nsm restart
>
> so snorby is more active than before.
>
> Thanks

You really don't want to do this long-term. The post where I
mentioned that was specifically related to enabling snort rules
temporarily. Long-term you should only run the rules necessary for
your environment.

> Anyway, I have a question.
>
> How can I exclude our IP for snorby no alret for company IP?

Have you considered using a BPF?
https://github.com/Security-Onion-Solutions/security-onion/wiki/BPF



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Yang Jae]

Thanks for your quick replying

You really don't want to do this long-term. The post where I
mentioned that was specifically related to enabling snort rules
temporarily. Long-term you should only run the rules necessary for
your environment.

=> I do not know how to do your guilde line. If possible, please write in detail.

Have you considered using a BPF?
https://github.com/Security-Onion-Solutions/security-onion/wiki/BPF

=> I tried to follow

I edited /etc/nsm/eth1/bpf-ids.conf and added like that

!(host IP Address1) &&
!(host IP Address2) &&

and after nsm restared,

netsniff-ng, prads are failed to start.

Is it normal after setting?

Please check sostat files.

Thanks

[Heine Lysemose]

Hi

Did you break the symbolic links?

You need to remove the last && from the line or it will expect another line

Regards,

Lysemose

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Doug Burks]

On Thu, Jun 25, 2015 at 12:00 AM, Yang Jae <rem...@gmail.com> wrote:
> Thanks for your quick replying
>
> You really don't want to do this long-term. The post where I
> mentioned that was specifically related to enabling snort rules
> temporarily. Long-term you should only run the rules necessary for
> your environment.
>
> => I do not know how to do your guilde line. If possible, please write in detail.

Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts

[Yang Jae Lee]

2015년 6월 25일 목요일 오후 8시 32분 5초 UTC+9, Lysemose 님의 말:

Thanks for your reply.

I forgot to do the setting

cd /etc/nsm/$HOSTNAME-$INTERFACE/
# Remove the default Snort BPF symlink
sudo rm bpf-ids.conf
# Create a new Snort BPF file and add your custom BPF
sudo vi bpf-ids.conf
# Restart Snort
sudo nsm_sensor_ps-restart --only-snort-alert

and it works after like that.

!(host IP Address1) &&
!(host IP Address2)

Thank you, Lysemose.


Thanks Doug Burks

I will refer to check alerts of others in SO.

https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts