Thu Nov 23 16:36:19 EST 2017
'ignore' a host and/or type of traffic from that host, but no others. If
that's correct, then have a look at this:
If I'm on wrong... *shrug* Guess that would be a penalty drink for me.
>From erek at ...577... Tue Jun 18 11:40:30 2002
Date: Fri, 7 Jun 2002 11:43:18 -0700 (PDT)
From: Erek Adams <erek at ...577...>
To: Got Snort? <snort-users at lists.sourceforge.net>
Subject: Ignore Hosts How-To
Ok, you have two basic options on ignoring hosts:
Both ways provide you with the potential to completely _blind_ your sensor
all traffic. This would be a 'Bad Thing(tm)'.
Here is a basic example of how-to ignore a host with for each method. Are
they perfect? No. Want to improve and/or correct them? Sure! Feel free!
To ignore ICMP ECHO-REQUESTS (pings) and ICMP-ECHO REPLY's (ping reply)
host <foo> using BPF:
not ( (icmp = 8 or icmp = 0) and host <foo> )
To ignore ALL ICMP traffic from host <foo> using a pass rule:
pass icmp <foo> any -> $HOME_NET any
And you _MUST_ start snort with the '-o' parameter for the pass rule to
Anyone else got a better rule and/or filter?
If I want to use the pass rule, where do I have to add it? What is BPF?
More information about the Snort-users