How modify snort rules
-
Hi
I am very new to snort , so please be patients with mei am looking this rules
snort[44158]: [1:15306:3] WEB-CLIENT Portable Executable binary file transfer [Classification: Misc activity] [Priority: 3] {TCP} 213.199.149.118:80 -> 192.168.1.7:38777
This rules is blocking IPs because Windows Sever is trying to downloads updates from Microsoft website
Now , from my small knowledge, i can disable the rules Or i can white list the Ip
but there is 2 problem:
(a)
I don't want to disable the rules, i want to keep it run so that i can monitor when something is downloaded in any computer in our company but i dont want to block anything downloaded into the windows server which ip is 192.168.1.7So i want to modify this rules as this :
Dont block anything by rules 15306, if DST IP is 192.168.1.7, block anything else
(b) I cant white list Ip's as Microsoft has loads of ip, it impossible to white list all the Microsoft ip
Thanks for the help
so i am looking for solution (a)
can any one help me on this please
thanks
-
I found that disabling the 'snort_web-client.rules' #15306 (WEB-CLIENT Portable Executable binary file transfer) worked for me. Cleared out the blocked and all seems to be working again.
Suspect there's another little gremlin in there as well. Hell of an 'all-inclusive' rule to break Windows Updates ::)