[Snort-users] supress an IP address?

Jason security at ...5028...
Thu Oct 28 10:26:02 EDT 2004


use a bpf or a pass rule.

see http://www.snort.org/docs/snort_manual/ for how to do that.

Larry Wichman wrote:

> I dont think I was clear enough...I do not want to see
> any events from an IP address. 
> --- "Bristol, Gary L." <gbristol at ...10387...> wrote:
> 
> 
>>How about suppressing in the Threshold.conf a Class
>>B or 1 ip or Two
>>with a CIDR of 32 or 31.
>>
>>This works for me.
>>
>>suppress gen_id 1, sig_id 365, track by_src, ip
>>129.15.0.0/16
>>suppress gen_id 1, sig_id 384, track by_src, ip
>>129.15.0.0/16
>>suppress gen_id 1, sig_id 402, track by_src, ip
>>129.15.0.0/16
>>suppress gen_id 1, sig_id 469, track by_src, ip
>>129.15.3.67/32
>>suppress gen_id 1, sig_id 1411, track by_src, ip
>>129.15.10.77/31
>>suppress gen_id 1, sig_id 1419, track by_dst, ip
>>129.15.3.27/32
>>
>>-----Original Message-----
>>From: snort-users-admin at lists.sourceforge.net
>>[mailto:snort-users-admin at lists.sourceforge.net] On
>>Behalf Of Larry
>>Wichman
>>Sent: Thursday, October 28, 2004 10:54 AM
>>To: Snorty S Snortman
>>Subject: [Snort-users] supress an IP address?
>>
>>It does not look like you can do this in the
>>threshold.conf, but I would like to not see events
>>from a couple of IP addresses. Does anyone know of a
>>way to do this?
>>
>>Cheers,
>>Larry
>>
>>__________________________________________________
>>Do You Yahoo!?
>>Tired of spam?  Yahoo! Mail has the best spam
>>protection around 
>>http://mail.yahoo.com 
>>
>>
>>
> 
> -------------------------------------------------------
> 
>>This Newsletter Sponsored by: Macrovision 
>>For reliable Linux application installations, use
>>the industry's leading
>>setup authoring tool, InstallShield X. Learn more
>>and evaluate 
>>today.
>>
> 
> http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
> 
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or
>>unsubscribe:
>>
> 
> https://lists.sourceforge.net/lists/listinfo/snort-users
> 
>>Snort-users list archive:
>>
> 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
>>
>>
>>
> -------------------------------------------------------
> 
>>This Newsletter Sponsored by: Macrovision
>>For reliable Linux application installations, use
>>the industry's leading
>>setup authoring tool, InstallShield X. Learn more
>>and evaluate
>>today.
>>
> 
> http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
> 
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or
>>unsubscribe:
>>
> 
> https://lists.sourceforge.net/lists/listinfo/snort-users
> 
>>Snort-users list archive:
>>
> 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> =====
> Cheers,
> Lawrence A. Wichman2719 W ThomasApt 2
> Chicago
> Il, 60622
> 773.807.7606
> 
> 
> 
> 
> 
> 
> 
> 
> 		
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail Address AutoComplete - You start. We finish.
> http://promotions.yahoo.com/new_mail 
> 
> 
> -------------------------------------------------------
> This Newsletter Sponsored by: Macrovision 
> For reliable Linux application installations, use the industry's leading
> setup authoring tool, InstallShield X. Learn more and evaluate 
> today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list