custom squert filtering
2,177 views
Skip to first unread message
Steven Hostetler
Feb 19, 2015, 3:24:46 PM2/19/15
to securit...@googlegroups.com
Hi,
Is there a way to filter snort alerts in squert to exclude a particular IP? I have an IP performing a penetration test and want to exclude the noise in searches for the time being.
"no sip X.X.X.X" does not appear to work. It returns all alerts. Any ideas?
Thanks!
Is there a way to filter snort alerts in squert to exclude a particular IP? I have an IP performing a penetration test and want to exclude the noise in searches for the time being.
"no sip X.X.X.X" does not appear to work. It returns all alerts. Any ideas?
Thanks!
Paul Halliday
Feb 19, 2015, 4:58:04 PM2/19/15
to securit...@googlegroups.com
Open the filter editor and click the "+" in the top right hand corner,
this will create a filter called "New". Expand the "New" filter, clear
the boiler plate and paste this:
{
"alias": "tmp",
"name": "tmp",
"notes": "This is a temporary bypass",
"filter": "(INET_NTOA(event.src_ip) NOT IN('scanner_ip') AND
INET_NTOA(event.dst_ip) NOT IN('scanner_ip'))"
}
Then save and then just input 'tmp' in to the filter box. If there are
multiple addresses just comma separate them within the braces above
like:
IN('10.0.0.1','10.0.0.2',10.0.0.3','10.0.0.4')
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Paul Halliday
http://www.pintumbler.org/
this will create a filter called "New". Expand the "New" filter, clear
the boiler plate and paste this:
{
"alias": "tmp",
"name": "tmp",
"notes": "This is a temporary bypass",
"filter": "(INET_NTOA(event.src_ip) NOT IN('scanner_ip') AND
INET_NTOA(event.dst_ip) NOT IN('scanner_ip'))"
}
Then save and then just input 'tmp' in to the filter box. If there are
multiple addresses just comma separate them within the braces above
like:
IN('10.0.0.1','10.0.0.2',10.0.0.3','10.0.0.4')
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Paul Halliday
http://www.pintumbler.org/
Steven Hostetler
Feb 20, 2015, 10:20:31 AM2/20/15
to securit...@googlegroups.com
Thanks Paul!
I just needed to make sure that the "filter" was all on the same line for it to accept the syntax.
I just needed to make sure that the "filter" was all on the same line for it to accept the syntax.
Reply all
Reply to author
Forward
0 new messages