[Snort-users] how to ignore scans from trusted hosts?

Tony Lill ajlill at ...1676...
Fri Jun 1 11:59:42 EDT 2001


>>>>> "Neil" == Neil Dickey <neil at ...1633...> writes:


    Neil> Roeland Weve <roeland at ...1415...> wrote asking:

    >> I've seen it in a snort.conf version where the trusted host
    >> 'www.snort.org' was ignored from getting alerts from.  Now I'm
    >> getting alerts from some trusted hosts and want to ignore them
    >> by putting them in the snort.conf file.  I forgot how to do
    >> that, is it still possible and how can I do it?

    Neil> Yes, you need to write a "pass" rule, e.g.:

    Neil>   pass tcp 205.164.217.39 80 <> any any

That won't stop it from complaining about portscans, since that is
handled in a pre-preocessor (before the rules are matched). What you
need to to is write a tcpdump-style filter to exclude the host, eg.

not ( tcp and host trusted.host and port 80 )

and either append it to the command line or put it in a file and use
the -F option to snort.

I've also had problems with pass rules being ignored if you  put them
after 'include' directives in 1.7. I really should see it that's been
fixed in 1.8.
--
Tony Lill,                         Tony.Lill at ...1685...
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"




More information about the Snort-users mailing list