[Snort-users] Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP"

Matt Kettler mkettler at ...4108...
Mon Oct 17 14:26:33 EDT 2005


Mike Kelley wrote:
> That's an awfully big hammer to hit those two tiny IP's ... What other
> alerts would I be disabling? 
> 
> config disable decode alerts ==> Turns off the alerts generated by the
> decode phase of Snort.
> 
> 
> I just want to suppress the alerts for 2 machines ... if other machines
> on the network start doing that I'd be concerned and would want to know.


Quite frankly, if *ANY* machine in my network did that I'd consider nuking it on
the spot and asking questions later.

However, for a finer-grained approach you could use a bpf to cause snort to not
see those packets.

This way you'd only loose the inspection of the offending packets.





More information about the Snort-users mailing list