IDS mailing list archives

Re: Snort Network Suppression

From: "Jamie Riden" <jamie.riden () gmail com>
Date: Mon, 17 Dec 2007 14:55:16 -0600

On 15/12/2007, Alexander Bondarenko <al.bondarenko () gmail com> wrote:

Hi !

threshold.conf is not what you want because it allows you to suppress a
particalar rule for a particular src | dst ip address.  If you whant to
ignore all traffic for 192.168.1.0/24 you should use bpf filters with snort.


I agree with Alexander that this is how you drop all alerts from and
to a particular netblock, but I don't think this is a good idea in
practice.  You'd be throwing all the useful information away with the
false positives. I used to run snort on a /16 and it was extremely
noisy at first, but a bit of hand-tuning of the rules really paid off.

cheers,
 Jamie
-- 
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Snort Network Suppression Jonathan Askew JBASKEW (Dec 14)
- RE: Snort Network Suppression Michael LaSalvia (Dec 14)
- Re: Snort Network Suppression Boogie B. (Dec 14)
  - Message not available
    - Re: Snort Network Suppression Jonathan Askew JBASKEW (Dec 17)
- Re: Snort Network Suppression Ngot (Dec 17)
- Re: Snort Network Suppression Alexander Bondarenko (Dec 17)
  - Re: Snort Network Suppression Jamie Riden (Dec 17)
- Re: Snort Network Suppression Jamie Riden (Dec 17)
- Re: Snort Network Suppression Matteo Ignaccolo (Dec 17)
  - Re: Snort Network Suppression Ureleet (Dec 17)