[Snort-users] Ignoring all traffic from a certain network
erek at ...577...
Mon Apr 15 12:37:19 EDT 2002
On Mon, 15 Apr 2002, Stephen C Burns wrote:
> Is there a way to have Snort and all of it's rules ignore all traffic from
> a specific /24? Like a global portscan-ignorehosts directive that affects
> everything, not just port scans? I get a lot of false positives in the
> rules from my HOME_NET that I'd like to take out, if possible... thanks
As Jeff mentioned, you could use BPF filters. This is a fairly good idea,
since it tells pcap not to pass the packets into snort. That stops any 'extra
overhead' of processing that snort would have to do. If it's a lot of stuff,
I'd suggest looking at using a BPF filter file.
-F <bpf> Read BPF filters from file <bpf>
More information about the Snort-users