Snort mailing list archives
Re: Ignoring Alerts
From: Joel Esler <joel.esler () sourcefire com>
Date: Thu, 29 Mar 2007 16:12:11 -0400
Of course. Any type of bpf filter can be placed in Snort. On Thu, Mar 29, 2007 at 09:24:23AM -0400, it looks like Loula Alexsander-WAL010 sent me:
I'd like to have more control putting these "secure" hosts in the config file. Can I use BPF for several hosts? Tks, Alex ________________________________ From: Joel Esler [mailto:joel.esler () sourcefire com] Sent: Tuesday, March 27, 2007 9:24 PM To: Loula Alexsander-WAL010 Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Ignoring Alerts BPF filters are definitely more efficient for the Snort engine than pass rules. Do you not want to use BPF filters? +---------------------------------------------------------------------+ Joel Esler Security Consultant gpg key: http://demo.sourcefire.com/jesler.pgp.key +---------------------------------------------------------------------+ On Mar 27, 2007, at 7:44 AM, Loula Alexsander-WAL010 wrote: Hi Folks, I'm trying to ignore alerts from some hosts using Pass Rules. I put in my snort.conf: pass tcp [10.1.1.0/24,192.168.1.0/24] any -> any any I repeated this for icmp, udp and ip, I run Snort with "-o" option to change test order for pass|alert|log, but unfortunately this is not working. When I use BPF Filter works well: snort... not host... My Snort is 2.6.1.3 running on a Debian system. Any ideas? Regards, Alex ------------------------------------------------------------------------ - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE V_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
+---------------------------------------------------------------------+
Joel Esler Security Consultant
gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Ignoring Alerts Loula Alexsander-WAL010 (Mar 27)
- Re: Ignoring Alerts Joel Esler (Mar 27)
- Re: Ignoring Alerts Loula Alexsander-WAL010 (Mar 29)
- Re: Ignoring Alerts Joel Esler (Mar 29)
- Re: Ignoring Alerts Loula Alexsander-WAL010 (Mar 29)
- Re: Ignoring Alerts Joel Esler (Mar 27)