Maybe I overlooked this but I haven't found an option to negative filter events. Is this functionality available?
Could you explain what you mean by negative filtering?
Sorry for the delayed response - By negative filtering I mean, is it possible to configure BASE to ignore events that you specify? For instance...if I regularly run NMAP scans from a particular IP address against my network, the event queue fills up with the info from these scans. Could I configure base to say...ignore the ipaddress and the traffic of this type? This would cut down on the amount of events I see in my queue.
It seems to me the best option would be to use a pass rule and/or threshold/suppression rules in snort.