IDS mailing list archives
Re: Snort Network Suppression
From: Alexander Bondarenko <al.bondarenko () gmail com>
Date: Sat, 15 Dec 2007 10:26:27 +0300
Hi ! threshold.conf is not what you want because it allows you to suppress a particalar rule for a particular src | dst ip address. If you whant to ignore all traffic for 192.168.1.0/24 you should use bpf filters with snort. From snort manual: -F bpf-file Read BPF filters from bpf-file. This is handy for people running Snort as a SHADOW replacement or with a love of super complex BPF filters. See the documentation for more information on writing BPF filters. You can look into tcpdump manual for more explanations about bpf filters. So you can create a file bpf.conf Write there not net 192.168.1.0 255.255.255.0 and start snort with -F bpf.conf Valuable links: http://oinkmaster.sourceforge.net/avoiding_snort_alerts.txt On Friday 14 December 2007 21:09, Jonathan Askew JBASKEW wrote:
I am new to IDS and have just set up snort on a ubuntu host. It has worked well except for the fact that I am getting some false positivies from local traffic on the network. I have been trying to find the solution on snort's forums but the site seems to be going up and down randomly. I want to set a rule in order to suppress/ignore local network traffic for 192.168.1.0/24. I know this can be done in the /etc/threshold.conf file but have not been able to do so successfully. Can someone be so kind as to post their threshold.conf file or guide me through the process? Thanks, Blake ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=i ntro_sfw to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Snort Network Suppression Jonathan Askew JBASKEW (Dec 14)
- RE: Snort Network Suppression Michael LaSalvia (Dec 14)
- Re: Snort Network Suppression Boogie B. (Dec 14)
- Message not available
- Re: Snort Network Suppression Jonathan Askew JBASKEW (Dec 17)
- Message not available
- Re: Snort Network Suppression Ngot (Dec 17)
- Re: Snort Network Suppression Alexander Bondarenko (Dec 17)
- Re: Snort Network Suppression Jamie Riden (Dec 17)
- Re: Snort Network Suppression Jamie Riden (Dec 17)
- Re: Snort Network Suppression Matteo Ignaccolo (Dec 17)
- Re: Snort Network Suppression Ureleet (Dec 17)