Ignoring Some Alerts

Table of contents:

Problem

You want to ignore some things that are being logged.

Solution

Create a pass rule to ignore the particular traffic. The following rule ignores any traffic from ServerA:

pass tcp ServerA any -> any any

You must be sure to change the rule testing order to pass|alert|log by using the Snort -o command-line option:

[root@localhost root]# snort -o -c /etc/snort.conf

You can also ignore traffic by using a filter on the command line when starting Snort:

snort -c /etc/snort.conf not host ServerA

 

Discussion

There are two ways to configure Snort to ignore certain types of traffic: use a pass rule or use a Berkeley Packet Filter on startup. Be extra careful when using pass rules and filters so that you don't accidentally configure your IDS in a way that it misses alerting on potential intrusions.

See Also

http://www.tcpdump.org

Logging to System Logfiles

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net