[Snort-users] how to ignore scans from trusted hosts?

Tony Lill ajlill at ...1676...
Fri Jun 1 12:41:25 EDT 2001


>>>>> "Neil" == Neil Dickey <neil at ...1633...> writes:


    Neil> Tony Lill <ajlill at ...1676...> wrote in response to
    Neil> me:

    >> not ( tcp and host trusted.host and port 80 )
    >> 
    >> and either append it to the command line or put it in a file
    >> and use the -F option to snort.

    Neil> I have successfully used this syntax near the head of my
    Neil> snort.conf file ...

    Neil>   preprocessor portscan-ignorehosts: 111.222.333.444/24
    Neil> 555.666.777.888/8

    Neil> ... where the number of domains to be ignored was not large.

I remember why I went the filter route now... it was to cut out the
anomoly reports as well. Unfortuately there's not a global
pre-pre-processor to eliminate trusted hosts so we don't have to
configure it for every pre-processor (assuming it supports such a
thing).

Cheers
--
Tony Lill,                         Tony.Lill at ...1685...
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"




More information about the Snort-users mailing list