Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Ignore Hosts How-To

From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 7 Jun 2002 11:43:18 -0700 (PDT)

Ok, you have two basic options on ignoring hosts:

        BPF Filters
        Pass Rules

Both ways provide you with the potential to completely _blind_ your sensor to
all traffic.  This would be a 'Bad Thing(tm)'.

Here is a basic example of how-to ignore a host with for each method.  Are
they perfect?  No.  Want to improve and/or correct them?  Sure!  Feel free!



To ignore ICMP ECHO-REQUESTS (pings) and ICMP-ECHO REPLY's (ping reply) from
host <foo> using BPF:

        not ( (icmp[0] = 8 or icmp[0] = 0) and host <foo> )

To ignore ALL ICMP traffic from host <foo> using a pass rule:

        pass icmp <foo> any -> $HOME_NET any

And you _MUST_ start snort with the '-o' parameter for the pass rule to work
correctly.

Anyone else got a better rule and/or filter?

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: