Excluding from Logging

Problem

You need to log everything except . . .

Solution

Use the suppress keyword, as described in "Suppressing Rules," but use the additional options to qualify the suppression better.

suppress gen_id , sig_id , track , ip

 

Discussion

To be a little more selective with suppress, use the track and ip options. The track option specifies whether you are interested in packets coming or going, and ip specifies either a single IP address or a range.

To suppress an event from a specific IP:

suppress gen_id 1, sig_id 1234, track by_src, ip 192.168.0.8

To suppress an event going to a subnet:

suppress gen_id 1, sig_id 1234, track by_dst, ip 192.168.0.0/24

 

See Also

Beale, Jay. Snort 2.1 Intrusion Detection. Rockland, MA: Syngress, 2004.

Recipe 3.15

Recipe 3.17

Carrying Out Statistical Analysis
Related

Категории