Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Supressing alert

From: Tommie Giles <tgiles () gmail com>
Date: Fri, 26 Jun 2009 21:44:53 -0500
Hi, Shawn.

I'm late to the topic. However, you could easily write a BPF to remove
a specific src -> dst -> port. Snort will ignore traffic with that
particular pattern. An example:

# Let's ignore traffic coming from 192.168.1.1, going to 192.168.2.2,
but only on port 161 on 192.168.2.2

not ((src ip 192.168.1.1) && (dst ip 192.168.2.2) && (dst port 161))

You load a BPF file in snort using the -F switch.

Hope that helps somewhere.

Cheers,

tom

On Fri, Jun 26, 2009 at 12:52 PM, Jefferson,
Shawn<Shawn.Jefferson () bcferries com> wrote:

Hi,

I want to suppress an alert, but only from a specific src to a specific
dst.  Looking at the documentation for alert suppression, it looks like you
can either use track by_src OR by_dst.  What’s the best way to do this?

Thanks,

--
Shawn


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- 
Tommie Giles

"If all else fails, immortality can always be assured by spectacular error."

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: