Snort mailing list archives

Re: Excluding $HOME_NET -> $HOME_NET Alerts

From: Ed Kasky <ed () esson net>
Date: Mon, 20 May 2002 09:21:20 -0700

Michael,

The only problem with this is that it changes the "Signature" descriptionof each Alert to "(External) Incoming

traffic."

Can it be done without the msg description so that it leaves Snort'sdescription?


Ed
~~

At 11:36 AM Monday, 5/20/2002, Michael Boman wrote -=>

You could create a 'pass' rule.

var HOME_NET [10.1.1.0/24,10.1.2.0/24]
var EXTERNAL_NET !$HOME_NET
var IGNORE_THIS_BOX [10.2.1.92]

pass ip $IGNORE_THIS_BOX any -> $HOME_NET any (msg:"I am ignoring you";)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"(External) Incomming
traffic";)

and start snort with '-o'. Be carefull thought, too many pass rules and
performance is dropping dramaticly.


Ed Kasky
Los Angeles, CA
. . . . . . . .
Jumping to conclusions can be a bad exercise.


_______________________________________________________________
Hundreds of nodes, one monster rendering program.
Now that's a super model! Visit http://clustering.foundries.sf.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Excluding $HOME_NET -> $HOME_NET Alerts Ed Kasky (May 19)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Michael Boman (May 19)
  - Re: Excluding $HOME_NET -> $HOME_NET Alerts Ed Kasky (May 19)
    - Re: Excluding $HOME_NET -> $HOME_NET Alerts Michael Boman (May 19)
    - Re: Excluding $HOME_NET -> $HOME_NET Alerts Ed Kasky (May 20)
    - Re: Excluding $HOME_NET -> $HOME_NET Alerts Michael Boman (May 20)