Snort mailing list archives
Re: Remove Home_NET from EXTERNAL_NET any
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 3 Jul 2002 11:15:14 -0700 (PDT)
On Wed, 3 Jul 2002 DThomaz () flowserve com wrote:
If I want to use the pass rule, where do I have to add it?
IMHO, the best way to do it would be create a 'ignore.rules' and place the pass rule in that rules file. Then I would include that rulefile at the top of the list of included files in snort.conf. For example: [...snip...] #========================================= # Include all relevant rulesets here # # shellcode, policy, info, backdoor, and virus rulesets are # disabled by default. These require tuning and maintance. # Please read the included specific file for more information. #========================================= # Ignore.rules stores pass rules for hosts I wish to ignore. include $RULE_PATH/ignore.rules # Standard Snort Rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules [...snip...] And then in ignore.rules: pass icmp <foo> any -> $HOME_NET any
What is BPF?
BPF stands for Berkeley Packet Filter. To understand the syntax of the filter, have a look at your local tcpdump(8) manpage. As a note, if are seeing a lot of packets from those machines you wish to ignore, you'll get better performance out of snort to use the a filter instead of a pass rule. For the pass rule to work, the packet must be parsed in some way by snort. Whereas the BPF drops it at the packet capture level and the packets are never 'seen' by snort at all. Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Remove Home_NET from EXTERNAL_NET any DThomaz (Jul 02)
- Re: Remove Home_NET from EXTERNAL_NET any Chris Green (Jul 02)
- Re: Remove Home_NET from EXTERNAL_NET any Erek Adams (Jul 02)
- <Possible follow-ups>
- Re: Remove Home_NET from EXTERNAL_NET any DThomaz (Jul 03)
- Re: Remove Home_NET from EXTERNAL_NET any Erek Adams (Jul 03)
- Re: Remove Home_NET from EXTERNAL_NET any DThomaz (Jul 03)
- Re: Remove Home_NET from EXTERNAL_NET any Erek Adams (Jul 03)