[Snort-users] Excluding $HOME_NET -> $HOME_NET Alerts

Ed Kasky ed at ...3483...
Mon May 20 09:22:05 EDT 2002


Michael,

The only problem with this is that it changes the "Signature" description 
of each Alert to "(External) Incoming
traffic."

Can it be done without the msg description so that it leaves Snort's 
description?

Ed
~~

At 11:36 AM Monday, 5/20/2002, Michael Boman wrote -=>
>You could create a 'pass' rule.
>
>var HOME_NET [10.1.1.0/24,10.1.2.0/24]
>var EXTERNAL_NET !$HOME_NET
>var IGNORE_THIS_BOX [10.2.1.92]
>
>pass ip $IGNORE_THIS_BOX any -> $HOME_NET any (msg:"I am ignoring you";)
>alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"(External) Incomming
>traffic";)
>
>and start snort with '-o'. Be carefull thought, too many pass rules and
>performance is dropping dramaticly.

Ed Kasky
Los Angeles, CA
. . . . . . . .
Jumping to conclusions can be a bad exercise.





More information about the Snort-users mailing list