Snort mailing list archives

Re: Ignoring all traffic from a certain network

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 15 Apr 2002 12:31:44 -0700 (PDT)

On Mon, 15 Apr 2002, Stephen C Burns wrote:

Is there a way to have Snort and all of it's rules ignore all traffic from
a specific /24?  Like a global portscan-ignorehosts directive that affects
everything, not just port scans?  I get a lot of false positives in the
rules from my HOME_NET that I'd like to take out, if possible... thanks
everyone.


As Jeff mentioned, you could use BPF filters.  This is a fairly good idea,
since it tells pcap not to pass the packets into snort.  That stops any 'extra
overhead' of processing that snort would have to do.  If it's a lot of stuff,
I'd suggest looking at using a BPF filter file.

        -F <bpf>   Read BPF filters from file <bpf>

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Ignoring all traffic from a certain network Stephen C Burns (Apr 15)
- Re: Ignoring all traffic from a certain network Erek Adams (Apr 15)
- <Possible follow-ups>
- RE: Ignoring all traffic from a certain network Wirth, Jeff (Apr 15)
- Re: Ignoring all traffic from a certain network piotr . bulczak (Apr 15)
- Ignoring all traffic from a certain network Stephen C Burns (Apr 15)
- RE: Ignoring all traffic from a certain network Tom Sevy (Apr 15)