[Snort-users] Problems ignoring a host

Graham, Randy (RAW) RAW at ...4721...
Tue Feb 12 10:44:09 EST 2002


Can you just ignore it through the command line?  That's how I'm keeping our
scanning systems from showing up:
 
snort -bdD -o -c /usr/local/etc/snort.conf not host 10.1.1.9
 

Randy Graham
--
The Internet?  Bah!  Is that thing still around?  -- Homer Simpson
http://www.securitynewbie.com/ <http://www.securitynewbie.com/>  - for
people like me


-----Original Message-----
From: Peter Sundstrom [mailto:peter at ...4950...]
Sent: Monday, February 11, 2002 8:47 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Problems ignoring a host


I'm trying to ignore alerts triggered by our scanner without any luck.
 
I've read through the doco and FAQ, and seem to have everything that is
required, but obviously, I'm still missing something.
 
I'm running snort 1.8.3 on Solaris 2.6.  It gets started with:
 
snort -bdD -o -c /usr/local/etc/snort.conf
 
Note, that I have the -o flag to change the rule processing order.
 
In snort.conf, I have include local.rules in the rulesets.  I tried changing
the order of the rulesets, without any difference.
 
In local.rules I have:
 
pass IP 192.168.1.25/32 any -> any any
pass TCP 192.168.1.25/32 any -> any any
pass ICMP 192.168.1.25/32 any -> any any
pass UDP 192.168.1.25/32 any -> any any
 
What am I missing?

 
 
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020212/c6d46c87/attachment.html>


More information about the Snort-users mailing list