[Snort-users] Ignore Hosts How-To

Erek Adams erek at ...577...
Fri Jun 7 11:44:03 EDT 2002


Ok, you have two basic options on ignoring hosts:

	BPF Filters
	Pass Rules

Both ways provide you with the potential to completely _blind_ your sensor to
all traffic.  This would be a 'Bad Thing(tm)'.

Here is a basic example of how-to ignore a host with for each method.  Are
they perfect?  No.  Want to improve and/or correct them?  Sure!  Feel free!



To ignore ICMP ECHO-REQUESTS (pings) and ICMP-ECHO REPLY's (ping reply) from
host <foo> using BPF:

	not ( (icmp[0] = 8 or icmp[0] = 0) and host <foo> )

To ignore ALL ICMP traffic from host <foo> using a pass rule:

	pass icmp <foo> any -> $HOME_NET any

And you _MUST_ start snort with the '-o' parameter for the pass rule to work
correctly.

Anyone else got a better rule and/or filter?

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list