[Snort-users] how to ignore scans from trusted hosts?
ajlill at ...1676...
Fri Jun 1 11:59:42 EDT 2001
>>>>> "Neil" == Neil Dickey <neil at ...1633...> writes:
Neil> Roeland Weve <roeland at ...1415...> wrote asking:
>> I've seen it in a snort.conf version where the trusted host
>> 'www.snort.org' was ignored from getting alerts from. Now I'm
>> getting alerts from some trusted hosts and want to ignore them
>> by putting them in the snort.conf file. I forgot how to do
>> that, is it still possible and how can I do it?
Neil> Yes, you need to write a "pass" rule, e.g.:
Neil> pass tcp 184.108.40.206 80 <> any any
That won't stop it from complaining about portscans, since that is
handled in a pre-preocessor (before the rules are matched). What you
need to to is write a tcpdump-style filter to exclude the host, eg.
not ( tcp and host trusted.host and port 80 )
and either append it to the command line or put it in a file and use
the -F option to snort.
I've also had problems with pass rules being ignored if you put them
after 'include' directives in 1.7. I really should see it that's been
fixed in 1.8.
Tony Lill, Tony.Lill at ...1685...
President, A. J. Lill Consultants fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2 (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"
More information about the Snort-users