Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: threshold and suppress ??

From: "Jason" <snort-users () tcpipbitch net>
Date: Tue, 2 Mar 2004 07:49:41 -0500 (EST)
If you want to ignore all alerts from a specific address, or to an
address, use bpf filters.

in /path/to/some/file add
not (src host x.y.z.ip and dst host z.x.y.ip)
and not (src host a.b.c.ip and dst port 12345)

etc etc, and run snort with the -F /path/to/some/file

Thats a really basic filter file, search the archives, people have posted
many times on how to use BPF filters.


re

I'm setting snort IDS for observing activity of a larger network ( of
size /19) and I like to suppress some events from trusted hosts that
snort reports as alerts. So I'm trying to suppress all alerts for some
trusted hosts that are doing GRE tunneling, since snort reports almost
every possible alert between too trusted hosts on GRE layer.

In threshold.conf I've putted something like this

suppress gen_id 1, sig_id 0, track by_dst, ip x.x.x.y/32

but snort still generates alerts for this trusted host. So can I apply
suppress rule that suppress all events from specified IP ?

regards,
 Andraz

--
BOFH excuse #265:

The mouse escaped.


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: