|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: DThomaz
flowserve.comDate: Wed Jul 03 2002 - 13:01:34 CDT
On Wed, 3 Jul 2002 DThomazflowserve.com wrote:
>
> How about removing and address from the rule.
>
> alert icmp $EXTERNAL_NET!172.20.11.3 any -> $HOME_NET any (msg:"MISC
Large
> ICMP Packet"; dsize: >800; reference:arachnids,246;
classtype:bad-unknown;
> sid:499; rev:1;)
>
> I do not want to see alerts from 172.20.11.3, should I edit at the rule
or
> at the snort.conf?
> When I remove from the rule I get this error running snort
>
> Jul 3 11:16:40 ormnm9 snort: FATAL ERROR: ERROR /etc/snort//misc.rules
(7)
> => Rule netmask (16!172.20.11.3/30) didn't x-late, WTF?
>
Nope. Wrong syntax. Have a look at:
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.3
From what I'm reading, your question has changed a bit. Now you're wanting
to
'ignore' a host and/or type of traffic from that host, but no others. If
that's correct, then have a look at this:
http://www.theadamsfamily.net/~erek/snort/ignore.txt
If I'm on wrong... *shrug* Guess that would be a penalty drink[0] for me.
:)
-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net
[0] http://www.theadamsfamily.net/~erek/snort/drinking_game.txt
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]