[Snort-users] Same source/dest

Erek Adams erek at ...950...
Wed Apr 2 08:02:27 EST 2003


On Tue, 1 Apr 2003, james wrote:

> If it is just one src/dst pair that is alerting on
> legit traffic, just modify the rule to exclude
> these IP's. In this case maybe set up a variable
> that excludes the IP's; or perhaps use a "!" ie,
>
> alert ip any any -> !10.1.2.3/32 25

No...  Don't modify the rule, because if you ever update your rules your
changes could be 'lost'.  Just write a pass rule instead.

	pass ip 10.1.2.3/32 any -> 10.1.2.3.4/32 25

And start snort with the -o parameter.

There is another method to ignore traffic [0] that may work better for
you.  Try both and see which one works better.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.theadamsfamily.net/~erek/snort/ignore.txt




More information about the Snort-users mailing list