Re: Can't suppress "(snort decoder) Bad Traffic Same Src/Dst IP"

[Matt Kettler <mkettler () evi-inc com>]

Mike Kelley wrote:
> That's an awfully big hammer to hit those two tiny IP's ... What other
> alerts would I be disabling? 
>
> config disable decode alerts ==> Turns off the alerts generated by the
> decode phase of Snort.
>
>
> I just want to suppress the alerts for 2 machines ... if other machines
> on the network start doing that I'd be concerned and would want to know.


Quite frankly, if *ANY* machine in my network did that I'd consider nuking it on
the spot and asking questions later.

However, for a finer-grained approach you could use a bpf to cause snort to not
see those packets.

This way you'd only loose the inspection of the offending packets.



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users