[Snort-users] suppresing events from privat lan

Matt Kettler mkettler at ...4108...
Wed Feb 16 14:43:17 EST 2005


At 04:22 PM 2/16/2005, hans wrote:
>i want to suppress all events from my private lan,
>which has ip-adr 172.20.x.y  ( rfc 1918 )
>reading http://www.snort.org/docs/snort_manual/node13.html
>i see gen_id and sig_id are required
>are there wildcards ?

Don't do it that way..  suppress is really intended to fix one or two rules..

Instead, set EXTERNAL_NET to be !$HOME_NET.. this will take care of the 
majority of them.

The few remaining rules you can use suppress, or you can take things to an 
extreeme and use a bpf statement on the snort command line to prevent snort 
from seeing the packets at all. (the bp filter format is the same one used 
by the tcpdump command line)




>question 2: what are AIM_SERVERS in my snort.config

The list of AOL instant messenger servers for the AIM detection rules. 





More information about the Snort-users mailing list