Re: How can i stop alerts that come from my own ip range?

[Joel Esler <jesler () sourcefire com>]

You can either use the ignore_scanners setting within sfportscan, or shutoff
the portscan preprocessor completely.  Ask yourself why you need to look at
portscans

On Wed, May 5, 2010 at 11:46 AM, Pat McNamara <pmcnamara () nic nu> wrote:

> Thanks i am beginning to see the alerts I want to not write to the DB are
> port scan from my mail server. How can i do this.
>
> Thanks
>
> On May 5, 2010, at 11:40 AM, Joel Esler wrote:
>
> Yeah, I wouldn't do a pass rule at all.  Sounds like to me, exactly what
> Matt said.  Define your HOME_NET as the network you want to protect.
>  EXTERNAL_NET, leave as any.  Go from there.
>
> On Wed, May 5, 2010 at 11:36 AM, Stephen Mullins <
> steve.mullins.work () gmail com> wrote:
>
> > You could just create 3 pass rules (tcp, udp, icmp) based on your
> > $HOME_NET variable.
> >
> > Wouldn't recommend it, though, since traffic from your home net may be
> > indicative of trojan call backs and so forth.
> >
> > You want to pass all traffic with a source IP within your $HOME_NET
> > variable with a destination that you didn't state.  I suppose you want
> > to pass all home_net to home_net traffic?  Passing all home_net to
> > !home_net traffic would be a "pretty bad idea."
> >
> > Steve Mullins
> >
> > On Wed, May 5, 2010 at 10:42 AM, Pat McNamara <pmcnamara () nic nu> wrote:
> > > Hi all,
> > > what I am trying to do is any alerts that come from my ip range is to
> > have
> > > snort disregard them and not even write them to the MySql database. I
> > think
> > > it must be some how set in the external_Net but I can't seem to figure
> > it
> > > out.
> > > Thanks
> > > Pat
> > >
> > > Pat McNamara
> > > IT Systems Administrator
> > > .NU domain, Ltd.
> > > Worldnames, Inc.
> > > +1-508-359-5600 x116
> > > pmcnamara () nic nu
> > ------------------------------------------------------------------------------
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> Pat McNamara
> IT Systems Administrator
> .NU domain, Ltd.
> Worldnames, Inc.
> +1-508-359-5600 x116
> pmcnamara () nic nu
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users