[Snort-users] ignore a single host
mkettler at ...4108...
Mon Nov 22 09:26:05 EST 2004
At 04:44 AM 11/21/2004, isp wrote:
>I have a computer which continuously gets following alert. It is because it
>is making lots of SNMP requests which is what it is suppose to do. How do I
>get snort to ignore a single host like this or just ignore this particular
Option 1 - pass rules
create a pass rule for the host, and add -o to your snort command
line so pass rules get applied first
Option 2 - bpf filters
pass a BPF filter on the command line that will ignore this host.
See the tcpdump manpages for information on BPF syntax, as tcpdump uses the
same BPF library as snort. something like "host not 220.127.116.11" should work,
or "udp and src not 18.104.22.168" as a more specific version.
Option 3 - comment out the rule in the rulefile.
it's a bit brute force, but it works. It should be in snmp.rules.
Use grep to find a rule with sid:1417.
Option 4 - suppress the alert:
suppress gen_id 1 , sid_id 1417
More information about the Snort-users