Home page logo
/

snort logo Snort mailing list archives

Re: Suppression question
From: Jeremy Hoel <jthoel () gmail com>
Date: Wed, 29 May 2013 20:32:42 +0000

You could write a local.rules rule to allow the traffic between the
two hosts on that port (copy the rule that's hitting, change to pass
and change the IPs) or you could do a BPF filter for that traffic.

I myself like the local.rules option, so that if it hits on another
rule, or different type of traffic you won't miss it like you would
with the BPF.


On Wed, May 29, 2013 at 1:27 PM, SnortFan <SnortFan () yahoo com> wrote:
Hi All,
     I know you can suppress a rule by either source or destination ip, but is there a way to suppress a rule from a 
known ip to another known ip? On one sensor I'm getting a excessive amount of hits on one preprocessor rule from a 
specific ip going to another specific ip.  I still want this rule to trigger but just not on this case from ip A to 
ip B.

Thanks.

Sent from a mobile device.
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]