[Snort-users] Event Suppression between specific Source and Destination

Jeremy Hoel jthoel at ...11827...
Fri Dec 14 22:06:47 EST 2012


You could also suppress an alert between two hosts by creating a pass
rule.

Also, most rules (that I can think of based on our alerts) are
unidirectional. So if I know some severs always get rap traffic I suppress
those alerts with the src or dst depending on the rule.
On Dec 14, 2012 7:41 PM, "waldo kitty" <wkitty42 at ...14940...> wrote:

> On 12/14/2012 10:44, Guido Hungerbuehler wrote:
> > I only agree on parts. Because if you would like to create a pass rule
> > for one specific rule and the two affected hosts, this would mean that I
> > basically have to copy the rule that triggers the event and replace
> > 'alert' with 'pass' and adjust the source and destination.
> >
> > But if the signature gets a new revision, the pass-rule does not get
> > updated. And I would have to check for changes in the rules manually.
>
> welcome to IDS Management 101 ;)
>
> but seriously, i see what you are saying but there is no other method
> available
> at this time for the way you choose to operate :?
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121214/5d3728a8/attachment.html>


More information about the Snort-users mailing list