|
|
|
|
Snort Forums Archive
Archive Home » Support » Ignoring certain IP address'
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Ignoring certain IP address'
Posted by amd599 on March 25, 2005 12:59:24
Today I found out that a lot of my network traffic that SNORT is picking ip is coming from our printers. I have the IP address' of about 15 printers that are connected, how can I set SNORT to ignore those IP address'? You mentioned something about 'surpress' but I'm not sure exactly how that works. I'm looking through the SNORT Manual but can't seem to find anything on it. Please let me know, thanks again. |
|
Posted by ByTe30 on April 01, 2005 09:30:12
One way to get around this issue to create a pass rule for the IP or any snort rules that you want to ignore. Name your pass rules file "pass.rules" Create an entry in the "pass.rules" file containing the IP Address of the device that you do not wish to see alerts for.
For example, let's say that your print server's IP address is 192.168.1.10. Your entry would look like:
pass ip 192.168.1.10 any -> any any
When you start restart snort, be sure to use the -o option so that it will parse the "pass.rules" file before the other rules.
See the snort documentation for more info. There are other ways to accomplish the same thing, but for my implementation, using a "pass.rules" file works best. |
|
Posted by cabanatom on August 17, 2006 06:13:15
Where do you place the -o option on restart? I'm assuming it is in the /etc/init.d/snort file. Yes? I'm having the same trouble. I can write somwhat the above rule but nothing seems to get filtered. I'm picking up all the routers in my network. |
|
|
|
|
|
