Re: White listing not performing as expected

[Nigel Houghton <nhoughton () sourcefire com>]

On Mon, Oct 12, 2009 at 10:41 AM, Tommie Giles <tgiles () gmail com> wrote:
> Morning, all.
>
> I have a device on my networking that I'm endeavoring to white list.
> However, it stubbornly refuses to follow my directives and I keep
> getting alerts on it. Running 2.8.4.1 (Build 38). Everything else
> seems to be configured normally, just this one thing is a thorn in my
> side on this device. Here's the relevant configuration bits from
> snort:
>
>
> [snort.conf]
>
> var $HOME_NET
> 10.199.0.0/25
>
> [threshold.conf]
>
> suppress gen_id 1, sig_id 1, track by_dst, ip 10.199.0.115
> suppress gen_id 1, sig_id 1, track by_src, ip 10.199.0.115

You are suppressing *only* gid 1, sid 1 from alerting to/from that
address. Everything else will still generate events and tell you about
it.

You should probably concentrate on the BPF so that snort doesn't
process anything to/from that host (if that's what you're trying to
do) and remove the suppression lines. You might also want to consider
a pass rule for that host.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users