[Snort-users] Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP"
mkettler at ...4108...
Mon Oct 17 14:26:33 EDT 2005
Mike Kelley wrote:
> That's an awfully big hammer to hit those two tiny IP's ... What other
> alerts would I be disabling?
> config disable decode alerts ==> Turns off the alerts generated by the
> decode phase of Snort.
> I just want to suppress the alerts for 2 machines ... if other machines
> on the network start doing that I'd be concerned and would want to know.
Quite frankly, if *ANY* machine in my network did that I'd consider nuking it on
the spot and asking questions later.
However, for a finer-grained approach you could use a bpf to cause snort to not
see those packets.
This way you'd only loose the inspection of the offending packets.
More information about the Snort-users