| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
Next: 3.10 How do I Up: 3 Configuring Snort Previous: 3.8 I have one
3.9 How do I ignore traffic coming from a particular host or hosts?
There are two basic ways to ignore traffic from a host:
- Pass Rules
- BPF Filters
- Pass Rules:
- Advantages:
- Gives you rule based control over the packets.
- Puts all your changes into 'one place'-snort.conf.
- Disadvantages:
- Reverses the Rule order, can cause some headaches in tracking down problems.
- One poorly written pass rule can 'blind' your whole network.
- The more specific the pass rule is, the more CPU snort needs to process it which may be important on loaded nets.
- Example:
For example to ignore ALL ICMP traffic from host <foo> using a pass rule:
pass icmp <foo> any -> $HOME_NET any
- Advantages:
- BPF Filters:
- Advantages:
- Drops the packet at the BPF interface, which saves on processing.
- Speeds up Snort since it 'never sees' those packets.
- Disadvantages:
- Poorly constructed filters can 'blind-side' you.
- Example:
- To ignore all traffic from 192.168.0.1:
snort <commandline options> not host 192.168.0.1
- To ignore all ICMP ECHO-REQUESTS (pings) and ICMP-ECHO REPLY's (ping
reply) from host
foo
:
snort <options> ``not ( (icmp[0] = 8 or icmp[0] = 0) and host <foo> )''
- To ignore all traffic from 192.168.0.1:
- Advantages:
Next: 3.10 How do I Up: 3 Configuring Snort Previous: 3.8 I have one
| site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |