IDS mailing list archives
Re: Snort Network Suppression
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Mon, 17 Dec 2007 14:55:16 -0600
On 15/12/2007, Alexander Bondarenko <al.bondarenko () gmail com> wrote:
Hi ! threshold.conf is not what you want because it allows you to suppress a particalar rule for a particular src | dst ip address. If you whant to ignore all traffic for 192.168.1.0/24 you should use bpf filters with snort.
I agree with Alexander that this is how you drop all alerts from and to a particular netblock, but I don't think this is a good idea in practice. You'd be throwing all the useful information away with the false positives. I used to run snort on a /16 and it was extremely noisy at first, but a bit of hand-tuning of the rules really paid off. cheers, Jamie -- Jamie Riden / jamesr () europe com / jamie () honeynet org uk UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Snort Network Suppression Jonathan Askew JBASKEW (Dec 14)
- RE: Snort Network Suppression Michael LaSalvia (Dec 14)
- Re: Snort Network Suppression Boogie B. (Dec 14)
- Message not available
- Re: Snort Network Suppression Jonathan Askew JBASKEW (Dec 17)
- Message not available
- Re: Snort Network Suppression Ngot (Dec 17)
- Re: Snort Network Suppression Alexander Bondarenko (Dec 17)
- Re: Snort Network Suppression Jamie Riden (Dec 17)
- Re: Snort Network Suppression Jamie Riden (Dec 17)
- Re: Snort Network Suppression Matteo Ignaccolo (Dec 17)
- Re: Snort Network Suppression Ureleet (Dec 17)