[Snort-users] excluding a host from rule

Don Don at ...5881...
Fri May 31 08:33:09 EDT 2002


create a variable named $TRUSTED_HOSTS like so
var $TRUSTED_HOSTS [192.168.0.45/32,192.168.0.91/32]
fill that line in as necessarry and add the !$TRUSTED_HOSTS variable to the
rule your wish to exclude those hosts from, then restart snort.

Don


  -----Original Message-----
  From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Chang, Andre
  Sent: Thursday, May 30, 2002 2:20 PM
  To: 'snort-users at lists.sourceforge.net'
  Subject: [Snort-users] excluding a host from rule


  Can you exclude specific hosts from triggering the alert in a rule?  But
still get alerted by that rule if any other hosts try the same action.

  Example you have a port scan on your network and you do not want to get
alerted by that host doing the scan but you do want to get alerted by anyone
else performing a port scan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020531/d96017c9/attachment.html>


More information about the Snort-users mailing list