Snort mailing list archives
Re: Re: excluding a host from rule
From: Joe McAlerney <joey () SiliconDefense com>
Date: Thu, 30 May 2002 18:04:29 -0700
Be careful though. This will ignore any attacks destined to your
scanning box (192.168.200.3) as well. If you want to ignore rule based
alerts originating from your scanner, create pass rules:
pass ip 192.168.200.3/32 any -> $HOME_NET any
To ignore portscans from your scanner:
preprocessor portscan-ignorehosts: 192.168.200.3/32
Note, this will still log any "stealth" scans. If you really want to
ignore these, you will have to get creative with BPF filters applied to
your scanner's IP.
But, if you trust the box your scanner is on like it's your co-pilot you
can simply block Snort from seeing ALL traffic FROM your scanner using a
BPF filter similarly to the way Alex suggested:
snort -dev -c snort.conf not src host 192.168.200.3
^^^
hth,
-Joe M.
--
Joe McAlerney
Silicon Defense: IDS Solutions
------
Example: snort -dev -c snort.conf not host 192.168.200.3
Alex
Brazil
----- Original Message -----
From: Chang, Andre
To: 'snort-users () lists sourceforge net'
Sent: Thursday, May 30, 2002 6:19 PM
Subject: [Snort-users] excluding a host from rule
Can you exclude specific hosts from triggering the alert in a
rule? But still get alerted by that rule if any other hosts
try the same action.
Example you have a port scan on your network and you do not want
to get alerted by that host doing the scan but you do want
to get alerted by anyone else performing a port scan.
_______________________________________________________________
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- excluding a host from rule Chang, Andre (May 30)
- Re: excluding a host from rule Alex Pinheiro Machado Rodrigues (May 30)
- Re: Re: excluding a host from rule Joe McAlerney (May 30)
- RE: excluding a host from rule Don (May 31)
- Re: excluding a host from rule Alex Pinheiro Machado Rodrigues (May 30)