Re: ignore a single host

[Matt Kettler <mkettler () evi-inc com>]

At 04:44 AM 11/21/2004, isp wrote:
> I have a computer which continuously gets following alert.  It is because it
> is making lots of SNMP requests which is what it is suppose to do.  How do I
> get snort to ignore a single host like this or just ignore this particular
> alert?

Option 1 - pass rules
        create a pass rule for the host, and add -o to your snort command 
line so pass rules get applied first

Option 2 - bpf filters
        pass a BPF filter on the command line that will ignore this host. 
See the tcpdump manpages for information on BPF syntax, as tcpdump uses the 
same BPF library as snort. something like "host not 1.1.1.1" should work, 
or "udp and src not 1.1.1.1" as a more specific version.

Option 3 - comment out the rule in the rulefile.
        it's a bit brute force, but it works. It should be in snmp.rules. 
Use grep to find a rule with sid:1417.

Option 4 - suppress the alert:
        suppress gen_id 1 , sid_id 1417

http://www.snort.org/docs/snort_manual/node12.html



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users