Snort mailing list archives
Re: How to ingnore a specific host(s) ?
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Fri, 30 May 2003 23:59:00 +0200
Still, the best way to ignore a specific host(s) is to blend out the packets from Snort for or from specific host is using bpf filters on the kernel level. Simply add your command line "not host 111.111.111.111" and you're blessed. If you want to ignore more hosts add "and not host 111.111.111.112", an so on. The kernel will throw away those packets as soon as possible so they will not be copied to the user space, where the application (Snort in this case) have to analyse them first and then throw them away. See tcpdump manpage for more information on this. Regards, Edin Shawn Duffy wrote:
You may want to change your $EXTERNAL_NET variable from any to [any,!$WHATEVER_IP_YOU_WANT] and then make sure that whatever rule is triggering is using the variable $EXTERNAL_NET instead of "any"[...]
-- Edin Dizdarevic ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to ingnore a specific host(s) ? CGhercoias (May 30)
- Re: How to ingnore a specific host(s) ? Erek Adams (May 30)
- Re: How to ingnore a specific host(s) ? Shawn Duffy (May 30)
- Re: How to ingnore a specific host(s) ? Edin Dizdarevic (May 30)
- <Possible follow-ups>
- RE: How to ingnore a specific host(s) ? CGhercoias (May 30)