[Snort-users] How config Preprocessor (other than the portscan PP) to ignore c ertain hosts?

Erek Adams erek at ...950...
Thu May 1 08:19:35 EDT 2003


On Thu, 1 May 2003 Brad.Watkins at ...9078... wrote:

> I am running Nessus on the same subnet as my RH 7.3 box that is running
> Snort 2.0 (W/SQL) and ACID.  Every time I do an audit from Nessus it floods
> the logs with alerts.  I understand how to ignore hosts for the portscan
> preprocessors, but how do I get the other preprocessors to ignore a host or
> hosts?  Stream4 is the biggest problem as it shows all the stealth scans
> that Nesses is performing.  As I understand it writing rules will not due
> this as the preprocessors are acting before rules are applied.

You'll have to use a BPF filter.

	snort -c /etc/snort.conf 'not host 192.168.0.4 and not port 22'

That will stop the packets from ever getting into Snort.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list