No subject


Thu Nov 23 16:36:19 EST 2017


to
'ignore' a host and/or type of traffic from that host, but no others.  If
that's correct, then have a look at this:

     http://www.theadamsfamily.net/~erek/snort/ignore.txt

If I'm on wrong...  *shrug*  Guess that would be a penalty drink[0] for me.
:)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


[0]  http://www.theadamsfamily.net/~erek/snort/drinking_game.txt

>From erek at ...577... Tue Jun 18 11:40:30 2002
Date: Fri, 7 Jun 2002 11:43:18 -0700 (PDT)
From: Erek Adams <erek at ...577...>
To: Got Snort? <snort-users at lists.sourceforge.net>
Subject: Ignore Hosts How-To


Ok, you have two basic options on ignoring hosts:

           BPF Filters
           Pass Rules

Both ways provide you with the potential to completely _blind_ your sensor
to
all traffic.  This would be a 'Bad Thing(tm)'.

Here is a basic example of how-to ignore a host with for each method.  Are
they perfect?  No.  Want to improve and/or correct them?  Sure!  Feel free!



To ignore ICMP ECHO-REQUESTS (pings) and ICMP-ECHO REPLY's (ping reply)
from
host <foo> using BPF:

           not ( (icmp[0] = 8 or icmp[0] = 0) and host <foo> )

To ignore ALL ICMP traffic from host <foo> using a pass rule:

           pass icmp <foo> any -> $HOME_NET any

And you _MUST_ start snort with the '-o' parameter for the pass rule to
work
correctly.

Anyone else got a better rule and/or filter?

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

Erek,

If I want to use the pass rule, where do I have to add it? What is BPF?

Thanks,

David





More information about the Snort-users mailing list