Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Exclude one IP

From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 01 Nov 2005 17:39:28 -0600
--On Tuesday, November 01, 2005 13:20:17 -0500 Joel Esler <joel.esler () sourcefire com> wrote: 


Matt,


Thanks for your email, however,


var HOME_NET [10.1.10.0/24,!10.1.10.24]
var EXTERNAL_NET !$HOME_NET


Will make HOME_NET everything in that range the HOME_NET except for that
one machine, then makes EXTERNAL_NET everything else including that one
machine.
Just curious. If you want to ignore one machine, why not use a pass rule? Or a berkley filter?
pass ip 10.1.10.24 any -> any any (msg:"Ignore this host";sid:1000001;rev:1;) pass ip any any -> 10.1.10.24 any (msg:"Ignore this host";sid:1000002;rev:1;) 

or start snort with a bpf filter: echo "not host 10.1.10.24" > ignore.bpf

snort -F ignore.bpf

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: