[Snort-users] Remove Home_NET from EXTERNAL_NET any

Erek Adams erek at ...577...
Wed Jul 3 11:16:06 EDT 2002


On Wed, 3 Jul 2002 DThomaz at ...6151... wrote:

> If I want to use the pass rule, where do I have to add it?

IMHO, the best way to do it would be create a 'ignore.rules' and place the
pass rule in that rules file.  Then I would include that rulefile at the top
of the list of included files in snort.conf.  For example:

[...snip...]

#=========================================
# Include all relevant rulesets here
#
# shellcode, policy, info, backdoor, and virus rulesets are
# disabled by default.  These require tuning and maintance.
# Please read the included specific file for more information.
#=========================================

# Ignore.rules stores pass rules for hosts I wish to ignore.
include $RULE_PATH/ignore.rules

# Standard Snort Rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules

[...snip...]

And then in ignore.rules:

pass icmp <foo> any -> $HOME_NET any


> What is BPF?

BPF stands for Berkeley Packet Filter.  To understand the syntax of the
filter, have a look at your local tcpdump(8) manpage.

As a note, if are seeing a lot of packets from those machines you wish to
ignore, you'll get better performance out of snort to use the a filter instead
of a pass rule.  For the pass rule to work, the packet must be parsed in some
way by snort.  Whereas the BPF drops it at the packet capture level and the
packets are never 'seen' by snort at all.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list