Snort mailing list archives
Re: Exclude hosts in snort
From: JP Vossen <vossenjp () netaxs com>
Date: Mon, 11 Aug 2003 18:03:04 -0400 (EDT)
From: "Jason" <netlist () kua net> To: <snort-users () lists sourceforge net> Date: Mon, 11 Aug 2003 12:01:25 -0400 Subject: [Snort-users] Exclude hosts in snort I have searched the posts and web and can't seem to find an easy/working = way to exclude host from snort. I have thousands of alert from multiple = servers on my network. I am trying to find a way to tell snort = "globally" not to pay attention to these hosts. I would like to be able = to add this to the snort.conf file so I can copy this file to my other = sensors. I have used the command line "not host" options which does work = but I have way to many hosts to use that. I don't want to edit every = rule file. Basically I want to be able to add a host to one location, = restart snort and be done with it. any help is appreciated, thanks
See [0]. You can then set up pass rules for your "way to many hosts" <g> or since you already seem to have BPF "not host" stuff, try snort's -F switch. If you want to use "-F" in the snort.conf, use the "config bpf_file: {your_bpf_file}" directive instead. -F bpf-file Read BPF filters from bpf-file. This is handy for people run- ning Snort as a SHADOW replacement or with a love Of super com- plex BPF filters. See the "expressions" section of this man page for more info on writing BPF fileters. Be careful about copying snort.conf files from sensor to sensor... You don't want to nuke local variables, if any. [0] http://www.theadamsfamily.net/~erek/snort/ignore.txt Later, JP ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- "The software said it requires Windows XP or better, so I installed Linux..." ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Exclude hosts in snort Jason (Aug 11)
- Re: Exclude hosts in snort Erek Adams (Aug 11)
- Re: Exclude hosts in snort Bryan Irvine (Aug 11)
- Re: Exclude hosts in snort Erek Adams (Aug 11)
- Re: Exclude hosts in snort Bryan Irvine (Aug 11)
- Re: Exclude hosts in snort Erek Adams (Aug 11)
- <Possible follow-ups>
- Re: Exclude hosts in snort JP Vossen (Aug 11)
- RE: Exclude hosts in snort Schmehl, Paul L (Aug 11)
- Exclude hosts in snort Jason Smalley (Aug 12)