[Snort-users] ignoring a host

McCammon, Keith Keith.McCammon at ...3497...
Fri Mar 1 07:54:42 EST 2002


You could put it in the command line using a "and not host" statement,
or you could write a pass rule and start Snort with the -o option, so
that pass is processed first.  Either way should work.

Personally, I would recommend the pass option, as there may be certain
types off traffic sourced from the firewall that you would want to
generate an alert.  Creating detailed pass rules for known, valid
traffic would help to clean up your alerts, while not totally ignoring
your firewall.  

Remember, firewall's get compromised, too!

-----Original Message-----
From: Fontenot, Paul [mailto:Paul.Fontenot at ...4988...]
Sent: Friday, March 01, 2002 10:41 AM
To: Snort (E-mail)
Subject: [Snort-users] ignoring a host


I have the following configuration:

a firewall, a snort box. snort has one leg inside the firewall and a
non-ip'd leg on a recieve only cable monitoring the firewall port. Is
there
a way to ignore the firewall as a source ip?

paul

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list