RE: Disable alerts from certain machines

["Jerry Shenk" <jshenk () decommunications com>]

Put in a pass rule for that particular IP address.  You probably want to
do this in local.rules.  You will probably also need to change the order
of rules so that pass rules are processed first.  You can make that
change by using the -o startup switch.  If you're starting from an init
script in /etc/rc.d/init.d, you can make the modification there.
 
The rule will probably be something like:
pass ip 10.1.1.1 any -> any any
 
or
 
pass tcp 10.1.1.1 any -> any any
pass ucp 10.1.1.1 any -> any any
pass icmp 10.1.1.1 any -> any any
 
 
 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Whitfield,
Ken
Sent: Friday, March 12, 2004 11:34 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Disable alerts from certain machines



Greetings, 

How do I disable ALL alerts generated from certain hosts based upon src
address? Is it possible? 

Thanks, 

Ken 


------------------------------------------------------------------------
------
This electronic mail and any files transmitted with it are confidential
and are intended solely for the use of individual or entity to whom they
are addressed. If you are not the intended recipient or the person
responsible for delivering the electronic mail to the intended
recipient, be advised that you have received this electronic mail in
error and that any use, dissemination, forwarding, printing, or copying
of this electronic mail is strictly prohibited. If you have received
this electronic mail in error, please immediately notify the sender by
return mail.
========================================================================
======