Snort decoder & pass rules

["Paul Melson" <pmelson () gmail com>]

Following a recent sensor redeployment, I've started seeing some alerts on
an internal segment that look like this:

Time                                    Message
SID             Proto           Source IP               Source Port
Dest IP         Dest Port
7 Nov 2005 09:17:23 EST         (snort decoder) Bad Traffic Loopback IP
[1:150] UDP             10.0.2.24               2300
127.0.0.1               2300


A quick sniff of the traffic reveals that this is actually occurring.  The
device generating the traffic is an older telephony interface and has
probably been doing this for a very long time.  I would like to disable
these alerts, but because they're generated by the decoder, I'm not sure how
to proceed.  I am assuming that writing pass or suppress rules will be
ineffective.  The documented alert options for the decoder don't include the
ability to single out this type of alert, let alone specify source addresses
to ignore for.  So what's the best way to address this issue?  Are my only
options 'config disable_decode_alerts' or just living with the noise?

Thanks,
PaulM

PS - If it matters, the sensor is running 2.4.3.



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users