FW: Rule to exclude a specific IP in Snort

["grant" <grant () macaulayconsultants co uk>]

I am trying to create an exclusion list for multiply machines and rules. I have created a file called whiteSRC.txt and 
included this in my snort.conf, I can get it to work with one machine. I am having difficulty with multiply entries. Is 
there any information or documentation I can get anywhere? 

suppress gen_id 1, sig_id 409, track by_src, ip 172.30.234.56    This line works fine!
suppress gen_id 2, sig_id 1419, track by_dst, ip 172.28.71.60    Is this right? I made this up!!

Thanks

Grant Macaulay

Hey Chris,

What does the different part of that instruction mean?:

suppress
gen_id 1,         <-- what does this mean?
sig_id 527,
track by_src,    <-- And this?
ip 192.168.10.37

Thanks

Juan M. Rivera Rivera
IT Director
American University of P.R.

-----Original Message-----
From: Chris Green [mailto:cmg () sourcefire com]
Sent: Thursday, October 09, 2003 9:28 AM
To: Juan M. Rivera
Cc: Snort Users List
Subject: Re: [Snort-users] Rule to exclude a specific IP in Snort

"Juan M. Rivera" <jrivera () aupr edu> writes:

> I'm trying to modify the following Snort Rule:
>
> Alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST"; sameip;
> reference:cve,CVE-1999-0016;
> reference:url,www.cert.org/advisories/CA-1997-28.html;
> classtype:bad-unknown; sid:527; rev:4;)
>
> I'm getting an alert on just one ip address and I know what the problem
is.
> So I'm trying to modify this rule so that it takes into account any
internal
> ip address except 192.168.10.37.

Don't bother with changing the rule anymore for handling that case.

suppress gen_id 1, sig_id 527, track by_src, ip 192.168.10.37

in snort 2.0.2.
--
Chris Green <cmg () sourcefire com>
Warning: time of day goes back, taking countermeasures.



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users 

N�HY޵隊X���'���u��w�+�m�$>� 
������xZ+��޶,��/z���M��Ң��x����-�'���z�e{h���B�5��/�כz�^�ǫ�'�)brH^��m������q����z�캚h�׫��iJz+���ɚ�X��X��)��۬z�%��l���q����zѨ��a��.����z���m��좻����r��zm����+-��.�ǟ�����+-��b�ا~�잊��ǫ�)��۬z�%��Z��b��m����
 z�+k   ^��&������w�+-