Snort mailing list archives
Re: Remove Home_NET from EXTERNAL_NET any
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 3 Jul 2002 10:42:36 -0700 (PDT)
On Wed, 3 Jul 2002 DThomaz () flowserve com wrote:
How about removing and address from the rule. alert icmp $EXTERNAL_NET!172.20.11.3 any -> $HOME_NET any (msg:"MISC Large ICMP Packet"; dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:1;) I do not want to see alerts from 172.20.11.3, should I edit at the rule or at the snort.conf? When I remove from the rule I get this error running snort Jul 3 11:16:40 ormnm9 snort: FATAL ERROR: ERROR /etc/snort//misc.rules (7) => Rule netmask (16!172.20.11.3/30) didn't x-late, WTF?
Nope. Wrong syntax. Have a look at: http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.3
From what I'm reading, your question has changed a bit. Now you're wanting to
'ignore' a host and/or type of traffic from that host, but no others. If that's correct, then have a look at this: http://www.theadamsfamily.net/~erek/snort/ignore.txt If I'm on wrong... *shrug* Guess that would be a penalty drink[0] for me. :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net [0] http://www.theadamsfamily.net/~erek/snort/drinking_game.txt ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Remove Home_NET from EXTERNAL_NET any DThomaz (Jul 02)
- Re: Remove Home_NET from EXTERNAL_NET any Chris Green (Jul 02)
- Re: Remove Home_NET from EXTERNAL_NET any Erek Adams (Jul 02)
- <Possible follow-ups>
- Re: Remove Home_NET from EXTERNAL_NET any DThomaz (Jul 03)
- Re: Remove Home_NET from EXTERNAL_NET any Erek Adams (Jul 03)
- Re: Remove Home_NET from EXTERNAL_NET any DThomaz (Jul 03)
- Re: Remove Home_NET from EXTERNAL_NET any Erek Adams (Jul 03)