[Snort-users] how to ignore scans from trusted hosts?

Neil Dickey neil at ...1633...
Thu May 31 10:55:31 EDT 2001


Roeland Weve <roeland at ...1415...> wrote asking:

>I've seen it in a snort.conf version where the trusted host
>'www.snort.org' was ignored from getting alerts from.
>Now I'm getting alerts from some trusted hosts and want to ignore them
>by putting them in the snort.conf file.
>I forgot how to do that, is it still possible and how can I do it?

Yes, you need to write a "pass" rule, e.g.:

  pass tcp 205.164.217.39 80 <> any any

Then be sure to use the '-o' option on the command line when you start
Snort, so that the "pass" rules are acted upon before the "alert" rules.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




More information about the Snort-users mailing list