Snort mailing list archives
Re: how to ignore scans from trusted hosts?
From: Neil Dickey <neil () geol niu edu>
Date: Thu, 31 May 2001 09:55:31 -0500 (CDT)
Roeland Weve <roeland () office netland nl> wrote asking:
I've seen it in a snort.conf version where the trusted host 'www.snort.org' was ignored from getting alerts from. Now I'm getting alerts from some trusted hosts and want to ignore them by putting them in the snort.conf file. I forgot how to do that, is it still possible and how can I do it?
Yes, you need to write a "pass" rule, e.g.: pass tcp 205.164.217.39 80 <> any any Then be sure to use the '-o' option on the command line when you start Snort, so that the "pass" rules are acted upon before the "alert" rules. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to ignore scans from trusted hosts? Roeland Weve (May 31)
- <Possible follow-ups>
- Re: how to ignore scans from trusted hosts? Neil Dickey (May 31)
- Re: how to ignore scans from trusted hosts? Tony Lill (Jun 01)
- Re: how to ignore scans from trusted hosts? Phil Wood (Jun 01)
- Re: how to ignore scans from trusted hosts? Tony Lill (Jun 01)
- Re: how to ignore scans from trusted hosts? Neil Dickey (Jun 01)
- Re: how to ignore scans from trusted hosts? Tony Lill (Jun 01)