Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: suppresing events from privat lan

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 16 Feb 2005 17:42:51 -0500
At 04:22 PM 2/16/2005, hans wrote:

i want to suppress all events from my private lan,
which has ip-adr 172.20.x.y  ( rfc 1918 )
reading http://www.snort.org/docs/snort_manual/node13.html
i see gen_id and sig_id are required
are there wildcards ?


Don't do it that way..  suppress is really intended to fix one or two rules..
Instead, set EXTERNAL_NET to be !$HOME_NET.. this will take care of the majority of them.
The few remaining rules you can use suppress, or you can take things to an extreeme and use a bpf statement on the snort command line to prevent snort from seeing the packets at all. (the bp filter format is the same one used by the tcpdump command line) 





question 2: what are AIM_SERVERS in my snort.config
The list of AOL instant messenger servers for the AIM detection rules. 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: