Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Disable alerts from certain machines - Not working for me?

From: Snortty <cwcwcwg () yahoo com>
Date: Thu, 25 Mar 2004 06:32:49 -0800 (PST)
Jerry and All, 

I want to do exactly the below, to disable ANY and ALL
alerts from certian IPs (dedicated scanners), and I
used the tips below by either:

pass ip 10.1.1.1 any -> any any

Or:

 pass tcp 10.1.1.1 any -> any any
 pass ucp 10.1.1.1 any -> any any
 pass icmp 10.1.1.1 any -> any any

in the local.rules file, and I used -o to run snort,
it dose show "pass" as first to process rules. But
still some scanning alerts (mostly udp, not all) from
this source IP (10.1.1.1 as example here) will be in
my IDS report every time scan performed. 

Can someone who's done this tell my WHY please?

Very appreciated, and thinks in advance. 
CW. 


--- Jerry Shenk <jshenk () decommunications com> wrote:

Put in a pass rule for that particular IP address. 
You probably want to
do this in local.rules.  You will probably also need
to change the order
of rules so that pass rules are processed first. 
You can make that
change by using the -o startup switch.  If you're
starting from an init
script in /etc/rc.d/init.d, you can make the
modification there.
 
The rule will probably be something like:
pass ip 10.1.1.1 any -> any any
 
or
 
pass tcp 10.1.1.1 any -> any any
pass ucp 10.1.1.1 any -> any any
pass icmp 10.1.1.1 any -> any any
 
 
 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On
Behalf Of Whitfield,
Ken
Sent: Friday, March 12, 2004 11:34 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Disable alerts from certain
machines



Greetings, 

How do I disable ALL alerts generated from certain
hosts based upon src
address? Is it possible? 

Thanks, 

Ken 




------------------------------------------------------------------------

------
This electronic mail and any files transmitted with
it are confidential
and are intended solely for the use of individual or
entity to whom they
are addressed. If you are not the intended recipient
or the person
responsible for delivering the electronic mail to
the intended
recipient, be advised that you have received this
electronic mail in
error and that any use, dissemination, forwarding,
printing, or copying
of this electronic mail is strictly prohibited. If
you have received
this electronic mail in error, please immediately
notify the sender by
return mail.


========================================================================

======






__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: