Re: how to ignore scans from trusted hosts?

[Tony Lill <ajlill () ajlc waterloo on ca>]

> > > > > "Neil" == Neil Dickey <neil () geol niu edu> writes:


    Neil> Tony Lill <ajlill () ajlc waterloo on ca> wrote in response to
    Neil> me:

    >> not ( tcp and host trusted.host and port 80 )
    >> 
    >> and either append it to the command line or put it in a file
    >> and use the -F option to snort.

    Neil> I have successfully used this syntax near the head of my
    Neil> snort.conf file ...

    Neil>   preprocessor portscan-ignorehosts: 111.222.333.444/24
    Neil> 555.666.777.888/8

    Neil> ... where the number of domains to be ignored was not large.

I remember why I went the filter route now... it was to cut out the
anomoly reports as well. Unfortuately there's not a global
pre-pre-processor to eliminate trusted hosts so we don't have to
configure it for every pre-processor (assuming it supports such a
thing).

Cheers
--
Tony Lill,                         Tony.Lill () AJLC Waterloo ON CA
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users