On 15/12/2007, Alexander Bondarenko <[EMAIL PROTECTED]> wrote: > Hi ! > > threshold.conf is not what you want because it allows you to suppress a > particalar rule for a particular src | dst ip address. If you whant to > ignore all traffic for 192.168.1.0/24 you should use bpf filters with snort.
I agree with Alexander that this is how you drop all alerts from and to a particular netblock, but I don't think this is a good idea in practice. You'd be throwing all the useful information away with the false positives. I used to run snort on a /16 and it was extremely noisy at first, but a bit of hand-tuning of the rules really paid off. cheers, Jamie -- Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
