Snort mailing list archives

Re: How to ingnore a specific host(s) ?

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Fri, 30 May 2003 23:59:00 +0200


Still, the best way to ignore a specific host(s) is to blend out the
packets from Snort for or from specific host is using bpf filters on the
kernel level.

Simply add your command line "not host 111.111.111.111" and you're
blessed. If you want to ignore more hosts add "and not host
111.111.111.112", an so on.

The kernel will throw away those packets as soon as possible so they
will not be copied to the user space, where the application (Snort in
this case) have to analyse  them first and then throw them away.

See tcpdump manpage for more information on this.

Regards,

Edin


Shawn Duffy wrote:

You may want to change your $EXTERNAL_NET variable from any to
[any,!$WHATEVER_IP_YOU_WANT]  and then make sure that whatever rule is
triggering is using the variable $EXTERNAL_NET instead of "any"

[...]



--
Edin Dizdarevic





-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How to ingnore a specific host(s) ? CGhercoias (May 30)
- Re: How to ingnore a specific host(s) ? Erek Adams (May 30)
- Re: How to ingnore a specific host(s) ? Shawn Duffy (May 30)
  - Re: How to ingnore a specific host(s) ? Edin Dizdarevic (May 30)
- <Possible follow-ups>
- RE: How to ingnore a specific host(s) ? CGhercoias (May 30)