Snort mailing list archives
Re: how to ignore scans from trusted hosts?
From: Phil Wood <cpw () lanl gov>
Date: Fri, 1 Jun 2001 10:58:46 -0600
Have you tried: preprocessor portscan-ignorehosts: $IGNOREHOSTS (the syntax for host list is space separated host addresses) Also, I take the spp_portscan.c file and comment out the logging of alerts. This leaves the scan data in the text scan file which can be looked at and summarized in other ways. It is just plain nuts to send thousands of alerts to an sql database. On Fri, Jun 01, 2001 at 11:59:42AM -0400, Tony Lill wrote:
"Neil" == Neil Dickey <neil () geol niu edu> writes:Neil> Roeland Weve <roeland () office netland nl> wrote asking: >> I've seen it in a snort.conf version where the trusted host >> 'www.snort.org' was ignored from getting alerts from. Now I'm >> getting alerts from some trusted hosts and want to ignore them >> by putting them in the snort.conf file. I forgot how to do >> that, is it still possible and how can I do it? Neil> Yes, you need to write a "pass" rule, e.g.: Neil> pass tcp 205.164.217.39 80 <> any any That won't stop it from complaining about portscans, since that is handled in a pre-preocessor (before the rules are matched). What you need to to is write a tcpdump-style filter to exclude the host, eg. not ( tcp and host trusted.host and port 80 ) and either append it to the command line or put it in a file and use the -F option to snort. I've also had problems with pass rules being ignored if you put them after 'include' directives in 1.7. I really should see it that's been fixed in 1.8. -- Tony Lill, Tony.Lill () AJLC Waterloo ON CA President, A. J. Lill Consultants fax/data (519) 650 3571 539 Grand Valley Dr., Cambridge, Ont. N3H 2S2 (519) 241 2461 --------------- http://www.ajlc.waterloo.on.ca/ ---------------- "Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!" _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to ignore scans from trusted hosts? Roeland Weve (May 31)
- <Possible follow-ups>
- Re: how to ignore scans from trusted hosts? Neil Dickey (May 31)
- Re: how to ignore scans from trusted hosts? Tony Lill (Jun 01)
- Re: how to ignore scans from trusted hosts? Phil Wood (Jun 01)
- Re: how to ignore scans from trusted hosts? Tony Lill (Jun 01)
- Re: how to ignore scans from trusted hosts? Neil Dickey (Jun 01)
- Re: how to ignore scans from trusted hosts? Tony Lill (Jun 01)