[Snort-devel] New Feature for Snort...

James Hoagland hoagland at ...60...
Tue May 7 08:21:03 EDT 2002


At 11:19 PM -0400 5/6/02, Jon B Anderson wrote:
>I don't know if this has been considered before but, for people who have
>snort installed on a router computer, it would be nice to not log the web
>traffic coming from the internal network.  As this shows up twice in both
>the alert and the portscan.log files the ability to remove the logging of
>this traffic would be really good.

Hello Jon,

You can do this already (if I understand your need correctly).  At 
the end of the snort command line you exclude certain kinds of 
traffic from what snort looks at.  The format for this is the same as 
for tcpdump.  I haven't tested this particular pattern, but I think 
you want something like this:

   snort [opts] 'not (tcp and src port 80 and src net x.x.x.x/x)'

x.x.x.x/x is the network you want to ignore web traffic coming from.

I'd be remiss if I didn't warn you about the blind spot that you are 
creating by excluding traffic so broadly.  Consider the alternatives 
such as creating a pass rule for your specific frequent false 
positives and portscan-ignorehosts.

Best regards,

   Jim
-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...60..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-devel mailing list