[Snort-users] Ignoring certain hosts
storm-shadow at ...5068...
Sun Jun 1 19:30:05 EDT 2003
Keep getting hit with broadcasts from my ISP. So I would like to not see these in the alerts anymore.
And, sometimes when a user accesses our file server (legit user), snort reports: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [**]. Would like to ignore all internal traffic and broadcasts from ISP.
In the faqs, it said to write pass rules and add the hosts to the portscan-ignorehosts list . Then to call snort with the -o option to activate the pass rules. Can anyone elaborate on this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users