[Snort-users] How config Preprocessor (other than the portscan PP) to ignore c ertain hosts?

Erek Adams erek at ...950...
Thu May 1 08:19:35 EDT 2003

On Thu, 1 May 2003 Brad.Watkins at ...9078... wrote:

> I am running Nessus on the same subnet as my RH 7.3 box that is running
> Snort 2.0 (W/SQL) and ACID.  Every time I do an audit from Nessus it floods
> the logs with alerts.  I understand how to ignore hosts for the portscan
> preprocessors, but how do I get the other preprocessors to ignore a host or
> hosts?  Stream4 is the biggest problem as it shows all the stealth scans
> that Nesses is performing.  As I understand it writing rules will not due
> this as the preprocessors are acting before rules are applied.

You'll have to use a BPF filter.

	snort -c /etc/snort.conf 'not host and not port 22'

That will stop the packets from ever getting into Snort.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list