[Snort-users] ignore a single host

Matt Kettler mkettler at ...4108...
Mon Nov 22 09:26:05 EST 2004


At 04:44 AM 11/21/2004, isp wrote:
>I have a computer which continuously gets following alert.  It is because it
>is making lots of SNMP requests which is what it is suppose to do.  How do I
>get snort to ignore a single host like this or just ignore this particular
>alert?

Option 1 - pass rules
         create a pass rule for the host, and add -o to your snort command 
line so pass rules get applied first

Option 2 - bpf filters
         pass a BPF filter on the command line that will ignore this host. 
See the tcpdump manpages for information on BPF syntax, as tcpdump uses the 
same BPF library as snort. something like "host not 1.1.1.1" should work, 
or "udp and src not 1.1.1.1" as a more specific version.

Option 3 - comment out the rule in the rulefile.
         it's a bit brute force, but it works. It should be in snmp.rules. 
Use grep to find a rule with sid:1417.

Option 4 - suppress the alert:
         suppress gen_id 1 , sid_id 1417

http://www.snort.org/docs/snort_manual/node12.html





More information about the Snort-users mailing list