Problem
You need to log everything except . . .
Solution
Use the suppress keyword, as described in "Suppressing Rules," but use the additional options to qualify the suppression better.
suppress gen_id , sig_id , track , ip
Discussion
To be a little more selective with suppress, use the track and ip options. The track option specifies whether you are interested in packets coming or going, and ip specifies either a single IP address or a range.
To suppress an event from a specific IP:
suppress gen_id 1, sig_id 1234, track by_src, ip 192.168.0.8
To suppress an event going to a subnet:
suppress gen_id 1, sig_id 1234, track by_dst, ip 192.168.0.0/24
See Also
Beale, Jay. Snort 2.1 Intrusion Detection. Rockland, MA: Syngress, 2004.
Recipe 3.15
Recipe 3.17
Carrying Out Statistical Analysis |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index