[Snort-sigs] Excluding the snort host from all rules?

Keith W. McCammon mccammon at ...2420...
Thu Jul 22 11:17:13 EDT 2004


This probably belongs in snort-users, but...

It depends.  If the sensor's management interface sits in HOME_NET,
then this won't help at all.  If this is indeed the case, then you
need to 1) use a BPF filter to ignore traffic to/from your sensor's
management interface, or 2) craft some pass rules to achieve the same
result.  Note that if you choose to use pass rules, you'll need to
start Snort with the -o option, so that those pass rules are processed
prior to the alert and log rules.

All of this, of course, assumes that you don't mind not knowing who's
attacking your sensor...



On Wed, 21 Jul 2004 19:07:12 -0400, Matthew Watchinski
<mwatchinski at ...435...> wrote:
> Have you set your HOME_NET and EXTERNAL_NET variables yet in the
> snort.conf file?  If not you should set those to the correct network
> ranges, it will most likely fix your noise problem.
> 
> Cheers,
> -matt
> 
> R S wrote:
> 
> > Hello,
> >
> > Is there a way to exclude the snort host from all rules?  I am a very
> > new user and have just installed the software.  Almost all the alerts
> > I see are my Snort machine talking to our Windows 2000 server.  I get
> > messages for L3retriever, SMB, etc. and they are mostly from my snort box.
> >
> > How can I tell snort to ignore everything coming from itself???
> >
> > Thanks,
> >
> > R
> >




More information about the Snort-sigs mailing list