Ignoring certain networks or addresses in Snort

Snort, like any IDS, is bound to detect false positives, particularly right after its been installed. This is especially true for very ambiguous alerts. Take the following for instance:

SHELLCODE x86 inc ebx NOOP

This alert is generated by an executable being downloaded over the network. Of course, an executable program can be an equally legitimate or malicious thing. An alert generated every time a .exe is pulled from the internet is unfavorable, but disabling the rule altogether might result in an administrator missing a security risk. Wouldn’t it be great it we could ignore certain networks from Snort altogether? That way, we can add the IP ranges of legitimate organizations where we expect such downloads to come from, (Microsoft, etc) and only be alerted when the download source comes from an untrusted location.

Let’s begin by opening snort.conf, Snort’s configuration file. Search for the line which says:

config bpf_file

Begin by uncommenting it. Next, add in the location of the file which will define our whitelisted domains. What you call it isn’t important. The line in my Snort configuration therefore looks like the following:

config bpf_file: /etc/snort/ignore.bpf

Save your snort.conf and exit the editor. Next, create the file you just specified. In it, it is simple to whitelist individual hosts or networks in CIDR notation. Here’s some examples below. The ! before a line indicates the network is to be ignored. You can get granular with options like src, dst, port and more. Notice that an ‘and’ must be appended onto the end of each line if there are more after it!

# Business partner IP Ranges
!(net and
!(net and

#Test server
!(host and

!(src net && dst net && dst port 80)

2 thoughts on “Ignoring certain networks or addresses in Snort

Leave a Reply

Your email address will not be published. Required fields are marked *