[Snort-users] how to ignore scans from trusted hosts?

Neil Dickey neil at ...1633...
Fri Jun 1 12:20:05 EDT 2001


Tony Lill <ajlill at ...1676...> wrote in response to me:

>    Neil> Roeland Weve <roeland at ...1415...> wrote asking:
>
>    >> I've seen it in a snort.conf version where the trusted host
>    >> 'www.snort.org' was ignored from getting alerts from.  Now I'm
>    >> getting alerts from some trusted hosts and want to ignore them
>    >> by putting them in the snort.conf file.  I forgot how to do
>    >> that, is it still possible and how can I do it?
>
>    Neil> Yes, you need to write a "pass" rule, e.g.:
>
>    Neil>   pass tcp 205.164.217.39 80 <> any any
>
>That won't stop it from complaining about portscans, since that is
>handled in a pre-preocessor (before the rules are matched). What you
>need to to is write a tcpdump-style filter to exclude the host, eg.

That is true, but I assumed from the context of Roeland's original post
that the problem he was having derived from Snort rules and not the
preprocessor.  I may have been incorrect in that.

>not ( tcp and host trusted.host and port 80 )
>
>and either append it to the command line or put it in a file and use
>the -F option to snort.

I have successfully used this syntax near the head of my snort.conf file ...

  preprocessor portscan-ignorehosts: 111.222.333.444/24 555.666.777.888/8

... where the number of domains to be ignored was not large.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list