|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alberto Gonzalez (ag-snort_at_cerebro.violating.us)
Date: Tue Oct 15 2002 - 08:31:00 CDT
Ok, you have two basic options on ignoring hosts:
BPF Filters
Pass Rules
<snip>
Here is a basic example of how-to ignore a host with for each method. Are
they perfect? No. Want to improve and/or correct them? Sure! Feel free!
To ignore ICMP ECHO-REQUESTS (pings) and ICMP-ECHO REPLY's (ping reply) from
host <foo> using BPF:
not ( (icmp[0] = 8 or icmp[0] = 0) and host <foo> )
To ignore ALL ICMP traffic from host <foo> using a pass rule:
pass icmp <foo> any -> $HOME_NET any
And you _MUST_ start snort with the '-o' parameter for the pass rule to work
correctly.
<snip>
this is taken from: http://www.theadamsfamily.net/~erek/snort/ignore.txt
John Maestrale wrote:
>How do I ignore a specific host..
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users
lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
-- The secret to success is to start from scratch and keep on scratching.------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]