Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How config Preprocessor (other than the portscan PP) to ignore c ertain hosts?

From: Erek Adams <erek () snort org>
Date: Thu, 1 May 2003 11:15:32 -0400 (EDT)
On Thu, 1 May 2003 Brad.Watkins () mail state ky us wrote:


I am running Nessus on the same subnet as my RH 7.3 box that is running
Snort 2.0 (W/SQL) and ACID.  Every time I do an audit from Nessus it floods
the logs with alerts.  I understand how to ignore hosts for the portscan
preprocessors, but how do I get the other preprocessors to ignore a host or
hosts?  Stream4 is the biggest problem as it shows all the stealth scans
that Nesses is performing.  As I understand it writing rules will not due
this as the preprocessors are acting before rules are applied.


You'll have to use a BPF filter.

        snort -c /etc/snort.conf 'not host 192.168.0.4 and not port 22'

That will stop the packets from ever getting into Snort.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: