[Snort-users] Ignore Hosts How-To
erek at ...577...
Fri Jun 7 11:44:03 EDT 2002
Ok, you have two basic options on ignoring hosts:
Both ways provide you with the potential to completely _blind_ your sensor to
all traffic. This would be a 'Bad Thing(tm)'.
Here is a basic example of how-to ignore a host with for each method. Are
they perfect? No. Want to improve and/or correct them? Sure! Feel free!
To ignore ICMP ECHO-REQUESTS (pings) and ICMP-ECHO REPLY's (ping reply) from
host <foo> using BPF:
not ( (icmp = 8 or icmp = 0) and host <foo> )
To ignore ALL ICMP traffic from host <foo> using a pass rule:
pass icmp <foo> any -> $HOME_NET any
And you _MUST_ start snort with the '-o' parameter for the pass rule to work
Anyone else got a better rule and/or filter?
More information about the Snort-users