Snort mailing list archives

Re: HOWTO Ignore specific IP addresses

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Tue, 13 May 2003 19:53:17 +0200



Hi,

use BPF filter directives on the command line
snort [...] not host 192.168.1.1 and not host ...

That is the fastest way. See tcpdump manpage for more
options. You can filter on flags, protocols, ports etc.

Regards,

Edin


Michael Parkinson wrote:

Hi All,

OK slowly going brain dead here.

Current set-up is two web servers attached to a SNAZ NFS server.

When I kick Snort into action it works fine BUT I get literally hundreds of
false positives :

BAD TRAFFIC bad frag bits
MISC Large UDP Packet

A simple solution is to tell Snort to ignore this server
completely....Simply put how do I get Snort to ignore this machine
completely?

All help appreciated.

With thanks

Mike

====================================================
http://www.ishop.co.uk/
Build on-line.
Buy online.
The only UK based complete e-commerce package.
====================================================
Michael Parkinson BSc.(Hons)
Technical Director
Intellnet Limited
5 Priors
London Road
Bishops Stortford
Herts
CM23 5ED
====================================================
Phone       : 01279 602800
DDI         : 01279 602805
Fax         : 01279 600815
Mobile        :       07770 380511
ICQ No.       :       47666166
E-mail        :       michael () intellnet net uk
                    michael () parkinson co uk
URL         :    http://www.intellnet.net.uk/
                    http://www.ishop.co.uk/
====================================================



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Edin Dizdarevic
Networking Unit
Internet- & e-Security

iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
Dieffenbachstr. 33c
10967 Berlin
Germany

fon     +49-(0)30 69 004-123
fax     +49-(0)30 69 004-101
mail    edin.dizdarevic () interActive-Systems de
URL     http://www.interActive-Systems.de/security



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

HOWTO Ignore specific IP addresses Michael Parkinson (May 13)
- Re: HOWTO Ignore specific IP addresses Demetri Mouratis (May 13)
- Re: HOWTO Ignore specific IP addresses Edin Dizdarevic (May 13)
- Re: HOWTO Ignore specific IP addresses Dragos Ruiu (May 13)
- <Possible follow-ups>
- RE: HOWTO Ignore specific IP addresses Steven Rudolph (May 13)