[Snort-users] Help with Rule
cmg at ...671...
Sun Nov 4 12:46:01 EST 2001
Tim Sailer <sailer at ...2968...> writes:
> I may be dense, so bear with me. I have a host that is a very large,
> very busy, FTP server on our network. It seems like when it runs out
> of available anonymous slots, each connection to it trips the FTP-bad-login
> rule. I want to ignore this individual host, but not the others in my
> home net. I've tried about 20 different combos that don't work. Does some
> kind soul have a rule that shows me how to do this?
If you are using pass rules, you need to be sure to use the -o command
line option to cause passes to occur prior to alerts.
You may also consider ignoring this machine with a pcap filter such as
not host 192.168.1.1 and tcp and port 21
Chris Green <cmg at ...671...>
A watched process never cores.
More information about the Snort-users