[Snort-users] how to ignore scans from trusted hosts?

Phil Wood cpw at ...440...
Fri Jun 1 12:58:46 EDT 2001


Have you tried:

  preprocessor portscan-ignorehosts: $IGNOREHOSTS

(the syntax for host list is space separated host addresses)

Also, I take the spp_portscan.c file and comment out the logging of
alerts.  This leaves the scan data in the text scan file which can
be looked at and summarized in other ways.  It is just plain nuts
to send thousands of alerts to an sql database.

On Fri, Jun 01, 2001 at 11:59:42AM -0400, Tony Lill wrote:
> >>>>> "Neil" == Neil Dickey <neil at ...1633...> writes:
> 
> 
>     Neil> Roeland Weve <roeland at ...1415...> wrote asking:
> 
>     >> I've seen it in a snort.conf version where the trusted host
>     >> 'www.snort.org' was ignored from getting alerts from.  Now I'm
>     >> getting alerts from some trusted hosts and want to ignore them
>     >> by putting them in the snort.conf file.  I forgot how to do
>     >> that, is it still possible and how can I do it?
> 
>     Neil> Yes, you need to write a "pass" rule, e.g.:
> 
>     Neil>   pass tcp 205.164.217.39 80 <> any any
> 
> That won't stop it from complaining about portscans, since that is
> handled in a pre-preocessor (before the rules are matched). What you
> need to to is write a tcpdump-style filter to exclude the host, eg.
> 
> not ( tcp and host trusted.host and port 80 )
> 
> and either append it to the command line or put it in a file and use
> the -F option to snort.
> 
> I've also had problems with pass rules being ignored if you  put them
> after 'include' directives in 1.7. I really should see it that's been
> fixed in 1.8.
> --
> Tony Lill,                         Tony.Lill at ...1685...
> President, A. J. Lill Consultants        fax/data (519) 650 3571
> 539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
> --------------- http://www.ajlc.waterloo.on.ca/ ----------------
> "Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list