[Snort-users] how to ignore scans from trusted hosts?
neil at ...1633...
Thu May 31 10:55:31 EDT 2001
Roeland Weve <roeland at ...1415...> wrote asking:
>I've seen it in a snort.conf version where the trusted host
>'www.snort.org' was ignored from getting alerts from.
>Now I'm getting alerts from some trusted hosts and want to ignore them
>by putting them in the snort.conf file.
>I forgot how to do that, is it still possible and how can I do it?
Yes, you need to write a "pass" rule, e.g.:
pass tcp 22.214.171.124 80 <> any any
Then be sure to use the '-o' option on the command line when you start
Snort, so that the "pass" rules are acted upon before the "alert" rules.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users