[Snort-users] Excluding $HOME_NET -> $HOME_NET Alerts
ed at ...3483...
Mon May 20 09:22:05 EDT 2002
The only problem with this is that it changes the "Signature" description
of each Alert to "(External) Incoming
Can it be done without the msg description so that it leaves Snort's
At 11:36 AM Monday, 5/20/2002, Michael Boman wrote -=>
>You could create a 'pass' rule.
>var HOME_NET [10.1.1.0/24,10.1.2.0/24]
>var EXTERNAL_NET !$HOME_NET
>var IGNORE_THIS_BOX [10.2.1.92]
>pass ip $IGNORE_THIS_BOX any -> $HOME_NET any (msg:"I am ignoring you";)
>alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"(External) Incomming
>and start snort with '-o'. Be carefull thought, too many pass rules and
>performance is dropping dramaticly.
Los Angeles, CA
. . . . . . . .
Jumping to conclusions can be a bad exercise.
More information about the Snort-users