Snort mailing list archives
Re: Supressing alert
From: Tommie Giles <tgiles () gmail com>
Date: Fri, 26 Jun 2009 21:44:53 -0500
Hi, Shawn. I'm late to the topic. However, you could easily write a BPF to remove a specific src -> dst -> port. Snort will ignore traffic with that particular pattern. An example: # Let's ignore traffic coming from 192.168.1.1, going to 192.168.2.2, but only on port 161 on 192.168.2.2 not ((src ip 192.168.1.1) && (dst ip 192.168.2.2) && (dst port 161)) You load a BPF file in snort using the -F switch. Hope that helps somewhere. Cheers, tom On Fri, Jun 26, 2009 at 12:52 PM, Jefferson, Shawn<Shawn.Jefferson () bcferries com> wrote:
Hi, I want to suppress an alert, but only from a specific src to a specific dst. Looking at the documentation for alert suppression, it looks like you can either use track by_src OR by_dst. What’s the best way to do this? Thanks, -- Shawn ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Tommie Giles "If all else fails, immortality can always be assured by spectacular error." ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Supressing alert Jefferson, Shawn (Jun 26)
- Re: Supressing alert Joel Esler (Jun 26)
- Re: Supressing alert Shenk, Jerry A (Jun 26)
- Re: Supressing alert Jefferson, Shawn (Jun 29)
- Re: Supressing alert Tommie Giles (Jun 26)