Ignoring Some Alerts
Problem
You want to ignore some things that are being logged.
Solution
Create a pass rule to ignore the particular traffic. The following rule ignores any traffic from ServerA:
pass tcp ServerA any -> any any
You must be sure to change the rule testing order to pass|alert|log by using the Snort -o command-line option:
[root@localhost root]# snort -o -c /etc/snort.conf
You can also ignore traffic by using a filter on the command line when starting Snort:
snort -c /etc/snort.conf not host ServerA
Discussion
There are two ways to configure Snort to ignore certain types of traffic: use a pass rule or use a Berkeley Packet Filter on startup. Be extra careful when using pass rules and filters so that you don't accidentally configure your IDS in a way that it misses alerting on potential intrusions.
See Also
http://www.tcpdump.org
Logging to System Logfiles
|