Snort mailing list archives
Re: How config Preprocessor (other than the portscan PP) to ignore c ertain hosts?
From: Erek Adams <erek () snort org>
Date: Thu, 1 May 2003 11:15:32 -0400 (EDT)
On Thu, 1 May 2003 Brad.Watkins () mail state ky us wrote:
I am running Nessus on the same subnet as my RH 7.3 box that is running Snort 2.0 (W/SQL) and ACID. Every time I do an audit from Nessus it floods the logs with alerts. I understand how to ignore hosts for the portscan preprocessors, but how do I get the other preprocessors to ignore a host or hosts? Stream4 is the biggest problem as it shows all the stealth scans that Nesses is performing. As I understand it writing rules will not due this as the preprocessors are acting before rules are applied.
You'll have to use a BPF filter. snort -c /etc/snort.conf 'not host 192.168.0.4 and not port 22' That will stop the packets from ever getting into Snort. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How config Preprocessor (other than the portscan PP) to ignore c ertain hosts? Brad . Watkins (May 01)
- Re: How config Preprocessor (other than the portscan PP) to ignore c ertain hosts? Erek Adams (May 01)