[Snort-users] Excluding a single host from a rule

Jeremy cjeremy at ...11827...
Thu Nov 15 06:46:58 EST 2007

Event suppressions is what your looking for.  Something like:

suppress gen_id 1, sig_id 123456, track by_src, ip
for your entire network cidr by src
suppress gen_id 1, sig_id 123456, track by_src, ip

Here is a link to the snort doc's on the subject:


On Nov 15, 2007 5:09 AM, Roman Daszczyszak <romandas at ...11827...> wrote:
> Hi all,
> I'm relatively new to using Snort, yet I've read through the rules
> section in the manual and tried searching the Sourcefire forums and
> can't seem to find an answer to this.
> How can I exclude a single host on my network from an alert rule?
> Specifically, I have a fileserver that hosts Windows shares for our
> users' home directory and profiles.  The users connect from all across
> our enterprise and when they do, Windows XP seems to handle the
> transaction first by pinging the fileserver, then establishing the
> connection via TCP/NetBIOS.  However, with the quantity of users, each
> of those ICMP pings prior to the real connection are collectively
> causing the ICMP NMAP rule to fire.
> I would like to exclude the fileserver from alerting when the NMAP
> rule fires, yet keep the rule active for the rest of the network.  How
> can I do this?
> Thanks,
> Roman
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list