[Snort-users] Snort Filtering

Michale michale at ...9068...
Tue Apr 29 15:12:07 EDT 2003


OK, it sounds like logging EVERYTHING might not be a wise approach.

I did (and am again) using the newest RULES downloaded from snort.org.

So, maybe the approach I am looking is to have it use THAT ruleset,
but then put in domains and IPs that I want it to log activity from...

Is that a similiar procedure to the one of NOT logging specified
domains and IPs??



Tuesday, April 29, 2003, 6:01:24 PM, you wrote:

ND> Michale <michale at ...9068...> wrote asking:

>>  I know how to make SNORT log ALL activity..

ND> This is probably not a good approach because security-related
ND> traffic will get swamped in the noise.  If you haven't already,
ND> I suggest you start with the ruleset shipped with the Snort
ND> distribution.

>>  But can I filter out the logging based on IP or Domain Name..

ND> Yes, but the subject is a big one and is well covered in the
ND> manual.  If you don't have a copy, it's available at the snort
ND> website:

ND>   http://www.snort.org

ND> Pay particular attention to what are called "pass" rules as a
ND> means of ignoring traffic from hosts believed to be friendly.

ND> Best regards,

ND> Neil Dickey, Ph.D.
ND> Research Associate/Sysop
ND> Geology Department
ND> Northern Illinois University
ND> DeKalb, Illinois
ND> 60115


Best regards,
 Michale                            mailto:michale at ...9068...

More information about the Snort-users mailing list