[Snort-users] single ip address

Erickson Brent W KPWA erickson at ...160...
Thu Feb 21 19:27:04 EST 2002

Hi Scott,

If you would like to ignore an address that is setting off a particular
alert rule (not port scan pre-processor or stealth scan) and say for example
that the destination port for the rule was 98 (Linux Config) and the host
was on your $HOME_NET,

you could do:

pass tcp any -> any 98

And from the snort command line invoke the o option to call the pass rules.


snort -d -o -A fast -c snort.conf


pass tcp any -> $EXTERNAL_NET 98

or if udp:

pass udp any -> any 98

If the offending node is setting off the port scan pre-processor

you could do:

define the variable in snort.conf

var DNS2

and then in pre-processor portscan ignore: $DNS2

If the offending node is triggering the stealth code for the port scan
pre-processor or stream 4, you need a Berkeley Packet filter:

for example at the command line:

snort -d -A fast -c snort.conf not (src host and dst port 98)

src is source, dst is destination.

Hope this will help, and if I have made any glaring errors I trust that my
snort friends will take two drinks and correct me.

Brent Erickson

-----Original Message-----
From: Scott Taylor [mailto:scottt at ...4859...]
Sent: Thursday, February 21, 2002 5:33 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] single ip address

Hello all,
  I'm having a hard time finding info on 
applying rules to a single IP addy. For instance 
if I want to ignore a single IP address what 
would the pass rule look like?

pass tcp -> any any

or do I need a /24 on the end of the IP?

Would this work in the snort.conf under home_net?

take 1 chug and kiss the person on your right.


SOCCER.COM, The Center of the Soccer Universe

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list