Snort mailing list archives
Re: how to ignore scans from trusted hosts?
From: Tony Lill <ajlill () ajlc waterloo on ca>
Date: Fri, 01 Jun 2001 12:41:25 EDT
"Neil" == Neil Dickey <neil () geol niu edu> writes:
Neil> Tony Lill <ajlill () ajlc waterloo on ca> wrote in response to Neil> me: >> not ( tcp and host trusted.host and port 80 ) >> >> and either append it to the command line or put it in a file >> and use the -F option to snort. Neil> I have successfully used this syntax near the head of my Neil> snort.conf file ... Neil> preprocessor portscan-ignorehosts: 111.222.333.444/24 Neil> 555.666.777.888/8 Neil> ... where the number of domains to be ignored was not large. I remember why I went the filter route now... it was to cut out the anomoly reports as well. Unfortuately there's not a global pre-pre-processor to eliminate trusted hosts so we don't have to configure it for every pre-processor (assuming it supports such a thing). Cheers -- Tony Lill, Tony.Lill () AJLC Waterloo ON CA President, A. J. Lill Consultants fax/data (519) 650 3571 539 Grand Valley Dr., Cambridge, Ont. N3H 2S2 (519) 241 2461 --------------- http://www.ajlc.waterloo.on.ca/ ---------------- "Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!" _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to ignore scans from trusted hosts? Roeland Weve (May 31)
- <Possible follow-ups>
- Re: how to ignore scans from trusted hosts? Neil Dickey (May 31)
- Re: how to ignore scans from trusted hosts? Tony Lill (Jun 01)
- Re: how to ignore scans from trusted hosts? Phil Wood (Jun 01)
- Re: how to ignore scans from trusted hosts? Tony Lill (Jun 01)
- Re: how to ignore scans from trusted hosts? Neil Dickey (Jun 01)
- Re: how to ignore scans from trusted hosts? Tony Lill (Jun 01)