Snort mailing list archives
RE: Exclude hosts in snort
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 11 Aug 2003 18:41:05 -0500
Put the following rule in a local rule file that doesn't get overwritten when you update your rules: pass ip $EXCLUDED_HOSTS any -> any any (msg:"Don't want alarms from these hosts"; sid:10000010; rev:1;) Edit snort.conf as follows: var $EXCLUDED_HOSTS [ip/mask,ip/mask,ip/mask,ip/mask,ip/mask] (e.g. 1.1.1.1/32) Restart snort with the -o switch to parse pass rules first. All of this is in the docs and has been discussed repeatedly. http://www.snort.org/docs/writing_rules/chap2.html#tth_chAp2 Search for "pass" http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.4 Search for "alert order" Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ -----Original Message----- From: Jason [mailto:netlist () kua net] Sent: Monday, August 11, 2003 11:01 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Exclude hosts in snort I have searched the posts and web and can't seem to find an easy/working way to exclude host from snort. I have thousands of alert from multiple servers on my network. I am trying to find a way to tell snort "globally" not to pay attention to these hosts. I would like to be able to add this to the snort.conf file so I can copy this file to my other sensors. I have used the command line "not host" options which does work but I have way to many hosts to use that. I don't want to edit every rule file. Basically I want to be able to add a host to one location, restart snort and be done with it. any help is appreciated, ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Exclude hosts in snort Jason (Aug 11)
- Re: Exclude hosts in snort Erek Adams (Aug 11)
- Re: Exclude hosts in snort Bryan Irvine (Aug 11)
- Re: Exclude hosts in snort Erek Adams (Aug 11)
- Re: Exclude hosts in snort Bryan Irvine (Aug 11)
- Re: Exclude hosts in snort Erek Adams (Aug 11)
- <Possible follow-ups>
- Re: Exclude hosts in snort JP Vossen (Aug 11)
- RE: Exclude hosts in snort Schmehl, Paul L (Aug 11)
- Exclude hosts in snort Jason Smalley (Aug 12)