On Wed, 3 Jul 2002 DThomazflowserve.com wrote:

>
> How about removing and address from the rule.
>
> alert icmp $EXTERNAL_NET!172.20.11.3 any -> $HOME_NET any (msg:"MISC Large
> ICMP Packet"; dsize: >800; reference:arachnids,246; classtype:bad-unknown;
> sid:499; rev:1;)
>
> I do not want to see alerts from 172.20.11.3, should I edit at the rule or
> at the snort.conf?
> When I remove from the rule I get this error running snort
>
> Jul 3 11:16:40 ormnm9 snort: FATAL ERROR: ERROR /etc/snort//misc.rules (7)
> => Rule netmask (16!172.20.11.3/30) didn't x-late, WTF?
>

Nope. Wrong syntax. Have a look at:

        http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.3

From what I'm reading, your question has changed a bit. Now you're wanting to
'ignore' a host and/or type of traffic from that host, but no others. If
that's correct, then have a look at this:

        http://www.theadamsfamily.net/~erek/snort/ignore.txt

If I'm on wrong... *shrug* Guess that would be a penalty drink[0] for me. :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

[0] http://www.theadamsfamily.net/~erek/snort/drinking_game.txt

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]