[Snort-users] How to ingnore a specific host(s) ?

Edin Dizdarevic edin.dizdarevic at ...7509...
Fri May 30 15:32:07 EDT 2003


Still, the best way to ignore a specific host(s) is to blend out the
packets from Snort for or from specific host is using bpf filters on the
kernel level.

Simply add your command line "not host 111.111.111.111" and you're
blessed. If you want to ignore more hosts add "and not host
111.111.111.112", an so on.

The kernel will throw away those packets as soon as possible so they
will not be copied to the user space, where the application (Snort in
this case) have to analyse  them first and then throw them away.

See tcpdump manpage for more information on this.

Regards,

Edin


Shawn Duffy wrote:
> You may want to change your $EXTERNAL_NET variable from any to
> [any,!$WHATEVER_IP_YOU_WANT]  and then make sure that whatever rule is
> triggering is using the variable $EXTERNAL_NET instead of "any"
>> [...]
>>


-- 
Edin Dizdarevic







More information about the Snort-users mailing list