[Snort-users] Help with Rule

Chris Green cmg at ...671...
Sun Nov 4 12:46:01 EST 2001


Tim Sailer <sailer at ...2968...> writes:

> Folks,
>   I may be dense, so bear with me. I have a host that is a very large,
> very busy, FTP server on our network. It seems like when it runs out
> of available anonymous slots, each connection to it trips the FTP-bad-login
> rule. I want to ignore this individual host, but not the others in my
> home net. I've tried about 20 different combos that don't work. Does some
> kind soul have a rule that shows me how to do this?

If you are using pass rules, you need to be sure to use the -o command
line option to cause passes to occur prior to alerts.

You may also consider ignoring this machine with a pcap filter such as

not host 192.168.1.1 and tcp and port 21
-- 
Chris Green <cmg at ...671...>
A watched process never cores.




More information about the Snort-users mailing list