Re: what is the command line to use ignore.rules - pass ip

["Al Lewis (allewi)" <allewi () cisco com>]

Please provide a pcap of the traffic.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi () cisco com 


-----Original Message-----
From: hernani coelho [mailto:hernani_coelho () msn com] 
Sent: Friday, January 22, 2016 9:23 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] what is the command line to use ignore.rules - pass ip

alerts are in dst ip 0.0.0.0
or source src 64.4.8.0
or src 64.4.8.1

On 22-01-2016 13:54, Al Lewis (allewi) wrote:
> Can you provide a pcap of the traffic you are having problems with?
in snort,  download in pcap format, shows nothing

> Have you tried suppressing the IP's you don't want?
i have tried this --->
suppress gen_id 1, sig_id 1852, track by_src, ip 0.0.0.0 suppress gen_id 1, sig_id 1852, track by_src, ip 64.4.8.0 
suppress gen_id 1, sig_id 1852, track by_src, ip 64.4.8.1 suppress gen_id 1, sig_id 1852, track by_dst, ip 0.0.0.0

> Do you have your home_net setup correctly?
ipvar HOME_NET [192.168.1.66/24]

> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi () cisco com
>
> -----Original Message-----
> From: hernani coelho [mailto:hernani_coelho () msn com]
> Sent: Friday, January 22, 2016 8:45 AM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] what is the command line to use 
> ignore.rules - pass ip
>
> if i put in command line this --->
> /usr/local/bin/snort -q -u snort -g snort -O 
> /etc/snort/rules/ignore.rules -c /etc/snort/snort.conf -i wlan0
>
> snort no works
>
> On 22-01-2016 13:30, hernani coelho wrote:
> > hello,
> >
> > i have this command line --->/usr/local/bin/snort -q -u snort -g 
> > snort -O -c /etc/snort/snort.conf -i wlan0
> >
> > to work with rule pass ip on file /etc/snort/rules/ignore.rules i 
> > have put in file this --> pass ip 64.4.8.0 any -> any any 
> > (msg:"Ignore this
> > host";sid:1000001;rev:1;) pass ip 64.4.8.1 any -> any any 
> > (msg:"Ignore this host";sid:1000001;rev:1;) pass ip 0.0.0.0 any -> 
> > any any (msg:"Ignore this host";sid:1000001;rev:1;)
> >
> > is this correct??
> > snort show ip's in same way.
> >
> > can someone help me??
> > i tried BPF file but no work, the ip 0.0.0.0 is show anyway
> >
> > ---------------------------------------------------------------------
> > -
> > --------
> > Site24x7 APM Insight: Get Deep Visibility into Application 
> > Performance APM + Mobile APM + RUM: Monitor 3 App instances at just 
> > $35/Month Monitor end-to-end web transactions and take corrective 
> > actions now Troubleshoot faster and improve end-user experience. Signup Now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ----------------------------------------------------------------------
> --------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App 
> instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster 
> and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances 
at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve 
end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!