[Snort-devel] New Feature for Snort...
hoagland at ...60...
Tue May 7 08:21:03 EDT 2002
At 11:19 PM -0400 5/6/02, Jon B Anderson wrote:
>I don't know if this has been considered before but, for people who have
>snort installed on a router computer, it would be nice to not log the web
>traffic coming from the internal network. As this shows up twice in both
>the alert and the portscan.log files the ability to remove the logging of
>this traffic would be really good.
You can do this already (if I understand your need correctly). At
the end of the snort command line you exclude certain kinds of
traffic from what snort looks at. The format for this is the same as
for tcpdump. I haven't tested this particular pattern, but I think
you want something like this:
snort [opts] 'not (tcp and src port 80 and src net x.x.x.x/x)'
x.x.x.x/x is the network you want to ignore web traffic coming from.
I'd be remiss if I didn't warn you about the blind spot that you are
creating by excluding traffic so broadly. Consider the alternatives
such as creating a pass rule for your specific frequent false
positives and portscan-ignorehosts.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...60..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-devel