Excluding from Logging


You need to log everything except . . .


Use the suppress keyword, as described in "Suppressing Rules," but use the additional options to qualify the suppression better.

suppress gen_id , sig_id , track , ip 



To be a little more selective with suppress, use the track and ip options. The track option specifies whether you are interested in packets coming or going, and ip specifies either a single IP address or a range.

To suppress an event from a specific IP:

suppress gen_id 1, sig_id 1234, track by_src, ip

To suppress an event going to a subnet:

suppress gen_id 1, sig_id 1234, track by_dst, ip


See Also

Beale, Jay. Snort 2.1 Intrusion Detection. Rockland, MA: Syngress, 2004.

Recipe 3.15

Recipe 3.17

Carrying Out Statistical Analysis

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance


show all menu

Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167
Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net