[Snort-users] (no subject)
jburnes at ...75...
Thu Jul 20 14:40:19 EDT 2000
On Wed, 19 Jul 2000, Martin Roesch wrote:
> > (4) Be able to easily indicate a list of internal subnets which
> > should be ignored if you see traffic flowing between them.
> > (right now I have this implemented via a BPF pre-filter, but
> > there must be a more elegant method. The BPF filter gets a little
> > complicated.)
> Have you looked at using pass rules? Try pass rules combined with the -o
> switch to do this sort of thing. See http://www.snort.org/snort_rules.html
> for more info on writing rules....
I will see if I can get a pass setup to do this elegantly. Right now
the BPF filters are working OK, but it forces me to use only the
any<->any ruleset which creates lots of false positives. In other
words seeing lots of SYNs from inside to outside could easily be
a web cache, but seeing them from outside to inside should send
Another idea I had (and a good one I think) -- is to have every rule
have a trigger threshold. This would give people an arbitrary way
to squelch down certain rules. Somewhat like the portscan facility
Are you going to Blackhat/DEFCON?
More information about the Snort-users