Snort mailing list archives
RE: excluding a host from rule
From: "Don" <Don () WeberOnTheWeb com>
Date: Fri, 31 May 2002 08:32:37 -0700
create a variable named $TRUSTED_HOSTS like so var $TRUSTED_HOSTS [192.168.0.45/32,192.168.0.91/32] fill that line in as necessarry and add the !$TRUSTED_HOSTS variable to the rule your wish to exclude those hosts from, then restart snort. Don -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Chang, Andre Sent: Thursday, May 30, 2002 2:20 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] excluding a host from rule Can you exclude specific hosts from triggering the alert in a rule? But still get alerted by that rule if any other hosts try the same action. Example you have a port scan on your network and you do not want to get alerted by that host doing the scan but you do want to get alerted by anyone else performing a port scan.
Current thread:
- excluding a host from rule Chang, Andre (May 30)
- Re: excluding a host from rule Alex Pinheiro Machado Rodrigues (May 30)
- Re: Re: excluding a host from rule Joe McAlerney (May 30)
- RE: excluding a host from rule Don (May 31)
- Re: excluding a host from rule Alex Pinheiro Machado Rodrigues (May 30)