Re: how to ignore scans from trusted hosts?

[Tony Lill <ajlill () ajlc waterloo on ca>]

> > > > > "Neil" == Neil Dickey <neil () geol niu edu> writes:


    Neil> Roeland Weve <roeland () office netland nl> wrote asking:

    >> I've seen it in a snort.conf version where the trusted host
    >> 'www.snort.org' was ignored from getting alerts from.  Now I'm
    >> getting alerts from some trusted hosts and want to ignore them
    >> by putting them in the snort.conf file.  I forgot how to do
    >> that, is it still possible and how can I do it?

    Neil> Yes, you need to write a "pass" rule, e.g.:

    Neil>   pass tcp 205.164.217.39 80 <> any any

That won't stop it from complaining about portscans, since that is
handled in a pre-preocessor (before the rules are matched). What you
need to to is write a tcpdump-style filter to exclude the host, eg.

not ( tcp and host trusted.host and port 80 )

and either append it to the command line or put it in a file and use
the -F option to snort.

I've also had problems with pass rules being ignored if you  put them
after 'include' directives in 1.7. I really should see it that's been
fixed in 1.8.
--
Tony Lill,                         Tony.Lill () AJLC Waterloo ON CA
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users