[Snort-users] Ignoring certain hosts

storm storm-shadow at ...5068...
Sun Jun 1 19:30:05 EDT 2003

Keep getting hit with broadcasts from my ISP.  So I would like to not see these in the alerts anymore.
And, sometimes when a user accesses our file server (legit user), snort reports: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [**].   Would like to ignore all internal traffic and broadcasts from ISP. 

In the faqs, it said to write pass rules and add the hosts to the portscan-ignorehosts list . Then to call snort with the -o option to activate the pass rules. Can anyone elaborate on this? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030601/7836d2f5/attachment.html>

More information about the Snort-users mailing list