Snort mailing list archives
Re: Re: excluding a host from rule
From: Joe McAlerney <joey () SiliconDefense com>
Date: Thu, 30 May 2002 18:04:29 -0700
Be careful though. This will ignore any attacks destined to your scanning box (192.168.200.3) as well. If you want to ignore rule based alerts originating from your scanner, create pass rules: pass ip 192.168.200.3/32 any -> $HOME_NET any To ignore portscans from your scanner: preprocessor portscan-ignorehosts: 192.168.200.3/32 Note, this will still log any "stealth" scans. If you really want to ignore these, you will have to get creative with BPF filters applied to your scanner's IP. But, if you trust the box your scanner is on like it's your co-pilot you can simply block Snort from seeing ALL traffic FROM your scanner using a BPF filter similarly to the way Alex suggested: snort -dev -c snort.conf not src host 192.168.200.3 ^^^ hth, -Joe M. -- Joe McAlerney Silicon Defense: IDS Solutions ------ Example: snort -dev -c snort.conf not host 192.168.200.3 Alex Brazil ----- Original Message ----- From: Chang, Andre To: 'snort-users () lists sourceforge net' Sent: Thursday, May 30, 2002 6:19 PM Subject: [Snort-users] excluding a host from rule Can you exclude specific hosts from triggering the alert in a rule? But still get alerted by that rule if any other hosts try the same action. Example you have a port scan on your network and you do not want to get alerted by that host doing the scan but you do want to get alerted by anyone else performing a port scan. _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- excluding a host from rule Chang, Andre (May 30)
- Re: excluding a host from rule Alex Pinheiro Machado Rodrigues (May 30)
- Re: Re: excluding a host from rule Joe McAlerney (May 30)
- RE: excluding a host from rule Don (May 31)
- Re: excluding a host from rule Alex Pinheiro Machado Rodrigues (May 30)