Snort mailing list archives

Re: Exclude hosts in snort

From: JP Vossen <vossenjp () netaxs com>
Date: Mon, 11 Aug 2003 18:03:04 -0400 (EDT)

From: "Jason" <netlist () kua net>
To: <snort-users () lists sourceforge net>
Date: Mon, 11 Aug 2003 12:01:25 -0400
Subject: [Snort-users] Exclude hosts in snort

I have searched the posts and web and can't seem to find an easy/working =
way to exclude host from snort. I have thousands of alert from multiple =
servers on my network. I am trying to find a way to tell snort =
"globally" not to pay attention to these hosts. I would like to be able =
to add this to the snort.conf file so I can copy this file to my other =
sensors. I have used the command line "not host" options which does work =
but I have way to many hosts to use that. I don't want to edit every =
rule file. Basically I want to be able to add a host to one location, =
restart snort and be done with it. any help is appreciated, thanks


See [0].  You can then set up pass rules for your "way to many hosts" <g> or
since you already seem to have BPF "not host" stuff, try snort's -F switch.
If you want to use "-F" in the snort.conf, use the
"config bpf_file: {your_bpf_file}" directive instead.

       -F bpf-file
              Read  BPF  filters from bpf-file.  This is handy for people run-
              ning Snort as a SHADOW replacement or with a love Of super  com-
              plex  BPF  filters.   See  the "expressions" section of this man
              page for more info on writing BPF fileters.

Be careful about copying snort.conf files from sensor to sensor...  You don't
want to nuke local variables, if any.

[0] http://www.theadamsfamily.net/~erek/snort/ignore.txt

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Exclude hosts in snort Jason (Aug 11)
- Re: Exclude hosts in snort Erek Adams (Aug 11)
- Re: Exclude hosts in snort Bryan Irvine (Aug 11)
  - Re: Exclude hosts in snort Erek Adams (Aug 11)
    - Re: Exclude hosts in snort Bryan Irvine (Aug 11)
- <Possible follow-ups>
- Re: Exclude hosts in snort JP Vossen (Aug 11)
- RE: Exclude hosts in snort Schmehl, Paul L (Aug 11)
- Exclude hosts in snort Jason Smalley (Aug 12)