RE: ignore hosts

["Don" <Don () WeberOnTheWeb com>]

I've done the same thing by setting a TRUSTED_NET variable, and entering the
IP's under that variable that i dont want to rcv alerts from,
var TRUSTED_NET [192.168.0.0/24,10.0.0.0/24]
under trusted net, for my purposes I also enter my HOME_NET's IP's, then for
all the alerts i change them from EXTERNAL_NET to !TRUSTED_NET
for instance under the default http.rules file that comes with snort it
contains the following line, wrapped in this case.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Possible Chunked
Encoding transfer attempt"; flags:A+; content:"Transfer-Encoding|3A|";
nocase; content:"chunked"; nocase; reference:bugtraq,4485;
classtype:web-application-activity; rev:3;)

I change this to

alert tcp !$TRUSTED_NET any -> $HTTP_SERVERS 80 (msg:"Possible Chunked
Encoding transfer attempt"; flags:A+; content:"Transfer-Encoding|3A|";
nocase; content:"chunked"; nocase; reference:bugtraq,4485;
classtype:web-application-activity; rev:3;)

and that makes the rule ignore any scans from any ip in my trusted net as
well as my own net

also, in snort.conf, i add the trusted net variable to the line for
pre-processor portscans as an ignorehost

preprocessor portscan-ignorehosts: $TRUSTED_NET

its the next line down from

preprocessor portscan: $HOME_NET 4 3 portscan.log

hope this helps

Don



  -----Original Message-----
  From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of aaz
  Sent: Wednesday, November 06, 2002 8:37 AM
  To: snort-users () lists sourceforge net
  Subject: [Snort-users] ignore hosts


  Hi,
  Brand new to snort. We want to ignore certain IPs from showing up as
alerts regardless of if they are the source or destination. I see the
portscan ignore hosts, however is there some other general place to specify
this that will apply for all the rules before being logged?

  thanks!