[Snort-users] single ip address
Erickson Brent W KPWA
erickson at ...160...
Thu Feb 21 19:27:04 EST 2002
If you would like to ignore an address that is setting off a particular
alert rule (not port scan pre-processor or stealth scan) and say for example
that the destination port for the rule was 98 (Linux Config) and the host
was on your $HOME_NET,
you could do:
pass tcp 192.168.12.4/32 any -> any 98
And from the snort command line invoke the o option to call the pass rules.
snort -d -o -A fast -c snort.conf
pass tcp 192.168.12.4/32 any -> $EXTERNAL_NET 98
or if udp:
pass udp 192.168.12.4/32 any -> any 98
If the offending node is setting off the port scan pre-processor
you could do:
define the variable in snort.conf
var DNS2 192.168.12.4
and then in pre-processor portscan ignore: $DNS2
If the offending node is triggering the stealth code for the port scan
pre-processor or stream 4, you need a Berkeley Packet filter:
for example at the command line:
snort -d -A fast -c snort.conf not (src host 192.168.12.4 and dst port 98)
src is source, dst is destination.
Hope this will help, and if I have made any glaring errors I trust that my
snort friends will take two drinks and correct me.
From: Scott Taylor [mailto:scottt at ...4859...]
Sent: Thursday, February 21, 2002 5:33 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] single ip address
I'm having a hard time finding info on
applying rules to a single IP addy. For instance
if I want to ignore a single IP address what
would the pass rule look like?
pass tcp 192.168.12.4 -> any any
or do I need a /24 on the end of the IP?
Would this work in the snort.conf under home_net?
take 1 chug and kiss the person on your right.
THERE IS ONLY ONE...
SOCCER.COM, The Center of the Soccer Universe
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users