Ignoring Some Alerts

Problem

You want to ignore some things that are being logged.

Solution

Create a pass rule to ignore the particular traffic. The following rule ignores any traffic from ServerA:

pass tcp ServerA any -> any any

You must be sure to change the rule testing order to pass|alert|log by using the Snort -o command-line option:

[root@localhost root]# snort -o -c /etc/snort.conf

You can also ignore traffic by using a filter on the command line when starting Snort:

snort -c /etc/snort.conf not host ServerA

Discussion

There are two ways to configure Snort to ignore certain types of traffic: use a pass rule or use a Berkeley Packet Filter on startup. Be extra careful when using pass rules and filters so that you don't accidentally configure your IDS in a way that it misses alerting on potential intrusions.

See Also

http://www.tcpdump.org