[Snort-users] How to ingnore a specific host(s) ?
edin.dizdarevic at ...7509...
Fri May 30 15:32:07 EDT 2003
Still, the best way to ignore a specific host(s) is to blend out the
packets from Snort for or from specific host is using bpf filters on the
Simply add your command line "not host 18.104.22.168" and you're
blessed. If you want to ignore more hosts add "and not host
22.214.171.124", an so on.
The kernel will throw away those packets as soon as possible so they
will not be copied to the user space, where the application (Snort in
this case) have to analyse them first and then throw them away.
See tcpdump manpage for more information on this.
Shawn Duffy wrote:
> You may want to change your $EXTERNAL_NET variable from any to
> [any,!$WHATEVER_IP_YOU_WANT] and then make sure that whatever rule is
> triggering is using the variable $EXTERNAL_NET instead of "any"
More information about the Snort-users