SNORT and ignoring hosts
Can't quit figure out how to ignore a single computer.
I have a computer which continuously gets following alert. It is because it
is making lots of SNMP requests which is what it is suppose to do. How do I
get snort to ignore a single host like this or just ignore this particular
alert?
thanks terry
[**] [1:1417:9] SNMP request udp [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/21-03:37:59.626234 12.170.222.13:53965 -> 12.170.222.148:161
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:118 DF
Len: 90
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012
http://www.securityfocus.com/bid/4132]
http://www.securityfocus.com/bid/4089]
http://www.securityfocus.com/bid/4088]
I have a computer which continuously gets following alert. It is because it
is making lots of SNMP requests which is what it is suppose to do. How do I
get snort to ignore a single host like this or just ignore this particular
alert?
thanks terry
[**] [1:1417:9] SNMP request udp [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/21-03:37:59.626234 12.170.222.13:53965 -> 12.170.222.148:161
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:118 DF
Len: 90
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012
http://www.securityfocus.com/bid/4132]
http://www.securityfocus.com/bid/4089]
http://www.securityfocus.com/bid/4088]
ASKER
I tried
snort -D -c ..\etc\snort.conf not host 12.170.222.13
but that did not seem to work
snort -D -c ..\etc\snort.conf not host 12.170.222.13
but that did not seem to work
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did you try:
# snort <args> not \( host <ip> \)
Wesly