RE: Disable alerts from certain machines - Not working for me?

[Snortty <cwcwcwg () yahoo com>]

Andreas and All, 

Thank you all for the valuable information you all
provided – all in my toolbox now. The doc here by the
link is also very useful for good understanding how
snort generate alerts!

I chose to use bpf to ignore all packets from this
source in this case, so I wrote up a bpf file, but
snort just won’t run after many tries, and with errors
below:

snort# /usr/local/bin/snort -dv -F /snort/bpf.snort –o
Running in packet dump mode
Log directory = /var/log/snort

Initializing Network Interface dmfe0
ERROR: OpenPcap() FSM compilation failed: 
        PCAP command: %s
Fatal Error, Quitting..

rtppiggy1:/snort# cat bpf.snort
!(src host 10.1.1.1)
!(src host 10.1.1.2)

Without –F /snort/bpf.snort –o (-o is not making
difference), snort runs well. 

I checked tcpdump manpage, snort README, and previous
snort-users posts, above seems to be only way I saw
without clear indication it worked. 

Can anyone share working bpf information here please.
I’m running snort 2.0.6 on Solaris 8. 

By the way, I still cannot upgrade to snort 2.1.1
probably due to Solaris 8 without a reason.
(./configure, make, make install all seem to be fine.)

Also, I tried to do a suppress gen_id thing, I can not
find threshold.conf under snort 2.0.6 to put this line
in – strange?

Cannot say enough how great this snort-user world is,
never a better place like this in the internet
! 
Thanks again
SW. 



--- Andreas_Östling <andreaso () it su se> wrote:
> On Thu, 25 Mar 2004, Snortty wrote:
>
> > Jerry and All, 
> >
> > I want to do exactly the below, to disable ANY and
> ALL
> > alerts from certian IPs (dedicated scanners), and
> I
> > used the tips below by either:
> >
> > pass ip 10.1.1.1 any -> any any
> ...
>
> Disabling all alerts from a host and using pass
> rules to pass all 
> traffic from that host is not the same thing. Pass
> rules has no effect on 
> alerts generated by preprocessors for example,
> although you don't mention 
> if that's the case here.
>
> Btw, I tried to write a little document describing
> these things, 
http://people.su.se/~andreaso/docs/README.avoiding_alerts
> It's still kind of a beta so I'd appreciate any
> comments/suggestions 
> from anyone.
>
> /Andreas
-------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux
> Tutorials
> Free Linux tutorial presented by Daniel Robbins,
> President and CEO of
> GenToo technologies. Learn everything from
> fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users