[Snort-users] Re: excluding a host from rule
joey at ...47...
Thu May 30 18:05:02 EDT 2002
Be careful though. This will ignore any attacks destined to your
scanning box (192.168.200.3) as well. If you want to ignore rule based
alerts originating from your scanner, create pass rules:
pass ip 192.168.200.3/32 any -> $HOME_NET any
To ignore portscans from your scanner:
preprocessor portscan-ignorehosts: 192.168.200.3/32
Note, this will still log any "stealth" scans. If you really want to
ignore these, you will have to get creative with BPF filters applied to
your scanner's IP.
But, if you trust the box your scanner is on like it's your co-pilot you
can simply block Snort from seeing ALL traffic FROM your scanner using a
BPF filter similarly to the way Alex suggested:
snort -dev -c snort.conf not src host 192.168.200.3
Silicon Defense: IDS Solutions
Example: snort -dev -c snort.conf not host 192.168.200.3
----- Original Message -----
From: Chang, Andre
To: 'snort-users at lists.sourceforge.net'
Sent: Thursday, May 30, 2002 6:19 PM
Subject: [Snort-users] excluding a host from rule
Can you exclude specific hosts from triggering the alert in a
rule? But still get alerted by that rule if any other hosts
try the same action.
Example you have a port scan on your network and you do not want
to get alerted by that host doing the scan but you do want
to get alerted by anyone else performing a port scan.
More information about the Snort-users