OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Snort-users] Don't log events from local interface

From: Joel Esler (joel.eslersourcefire.com)
Date: Mon Oct 08 2007 - 10:43:09 CDT


There are a number of ways to do what you are asking. Basically, you want to ignore events coming from a single host.

The most efficent way to do this from Snort's perspective is a BPF.

Joel

On Mon, Oct 08, 2007 at 02:46:29PM +0000, it looks like co street sent me:
> Hi all,
>
> I've got a basic question:
>
> - On my PC, I've got 2 interfaces in bridge mode,
>
> - I've got a Nessus to scan my local network,
>
> - Snort is in IDS mode.
>
> When Nessus scan my local network, Snort detect these potential attacks...
>
> But, I want to disable these alarms when my PC scan my local network.
>
> Do you have an idea do to do that? Or a link?
>
> Many Thanks,
>
> Mik
> PS: sorry for my bad english...
>
> --------------------------------------------------------------------------
>
> Besoin d'un e-mail ? Cr*ez gratuitement un compte Windows Live Hotmail, la
> bo*te e-mail enti*rement personnalisable ! [1]Windows Live Hotmail
>
> References
>
> Visible links
> 1. http://www.windowslive.fr/hotmail/default.asp

> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/

> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----
joel esler
http://demo.sourcefire.com/jesler.pgp.key

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users