[Snort-users] suppresing events from privat lan
mkettler at ...4108...
Wed Feb 16 14:43:17 EST 2005
At 04:22 PM 2/16/2005, hans wrote:
>i want to suppress all events from my private lan,
>which has ip-adr 172.20.x.y ( rfc 1918 )
>i see gen_id and sig_id are required
>are there wildcards ?
Don't do it that way.. suppress is really intended to fix one or two rules..
Instead, set EXTERNAL_NET to be !$HOME_NET.. this will take care of the
majority of them.
The few remaining rules you can use suppress, or you can take things to an
extreeme and use a bpf statement on the snort command line to prevent snort
from seeing the packets at all. (the bp filter format is the same one used
by the tcpdump command line)
>question 2: what are AIM_SERVERS in my snort.config
The list of AOL instant messenger servers for the AIM detection rules.
More information about the Snort-users