[Snort-users] how to ignore scans from trusted hosts?
neil at ...1633...
Fri Jun 1 12:20:05 EDT 2001
Tony Lill <ajlill at ...1676...> wrote in response to me:
> Neil> Roeland Weve <roeland at ...1415...> wrote asking:
> >> I've seen it in a snort.conf version where the trusted host
> >> 'www.snort.org' was ignored from getting alerts from. Now I'm
> >> getting alerts from some trusted hosts and want to ignore them
> >> by putting them in the snort.conf file. I forgot how to do
> >> that, is it still possible and how can I do it?
> Neil> Yes, you need to write a "pass" rule, e.g.:
> Neil> pass tcp 18.104.22.168 80 <> any any
>That won't stop it from complaining about portscans, since that is
>handled in a pre-preocessor (before the rules are matched). What you
>need to to is write a tcpdump-style filter to exclude the host, eg.
That is true, but I assumed from the context of Roeland's original post
that the problem he was having derived from Snort rules and not the
preprocessor. I may have been incorrect in that.
>not ( tcp and host trusted.host and port 80 )
>and either append it to the command line or put it in a file and use
>the -F option to snort.
I have successfully used this syntax near the head of my snort.conf file ...
preprocessor portscan-ignorehosts: 111.222.333.444/24 555.666.777.888/8
... where the number of domains to be ignored was not large.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users