[Snort-users] Re: excluding a host from rule

Joe McAlerney joey at ...47...
Thu May 30 18:05:02 EDT 2002


Be careful though.  This will ignore any attacks destined to your
scanning box (192.168.200.3) as well.  If you want to ignore rule based
alerts originating from your scanner, create pass rules:

pass ip 192.168.200.3/32 any -> $HOME_NET any

To ignore portscans from your scanner:

preprocessor portscan-ignorehosts: 192.168.200.3/32

Note, this will still log any "stealth" scans.  If you really want to
ignore these, you will have to get creative with BPF filters applied to
your scanner's IP.

But, if you trust the box your scanner is on like it's your co-pilot you
can simply block Snort from seeing ALL traffic FROM your scanner using a
BPF filter similarly to the way Alex suggested:

snort -dev -c snort.conf not src host 192.168.200.3
                             ^^^

hth,

-Joe M.

--
Joe McAlerney
Silicon Defense: IDS Solutions


------
Example: snort -dev -c snort.conf  not host 192.168.200.3
 
Alex
Brazil
 
 

       ----- Original Message ----- 
       From: Chang, Andre 
       To: 'snort-users at lists.sourceforge.net' 
       Sent: Thursday, May 30, 2002 6:19 PM
       Subject: [Snort-users] excluding a host from rule

       Can you exclude specific hosts from triggering the alert in a
rule?  But still get alerted by that rule if any other hosts
       try the same action.

       Example you have a port scan on your network and you do not want
to get alerted by that host doing the scan but you do want
       to get alerted by anyone else performing a port scan.




More information about the Snort-users mailing list