I am wrestling with the same issue right now. The closest I have found to official docs on tuning is:
There are at least three ways of doing this:
a. Filtering at origin (disabling a snort rule, setting a tcpdump-style filter at p0f, etc...)
b. Policy
c. Agent Consolidation (undocumented)
I have started working on removing the false positives via policies--we shall see how it goes.
Josh
There are primarily two ways to do this
suppress rule -- Disables alerting on a specific SID based on either source or destinationpass rule -- Allow traffic matching the rule to be passed without checking against any other rules
Pass Rules
Useful for ignoring traffic from hosts that are known to generate lots of alerts, but are also known to be trusted. Vulnerability assessment tools being a big one. They are written in the form of any other alert rule, except that the "pass" statement is used instead of "alert" If we wanted to allow all traffic from one of these we could use:
pass ip 10.10.8.200/32 any <> any any (msg: "Ignore all Network Health monitoring"; sid: 1000013;)
This is a very simple rule that will ignore any IP traffic with a source address of '10.10.8.200' with any source port going to any address on any destination port.
Suppress Rules
These are primarily used for filtering out false positives. They require the admin specify more information about the rule, e.g. gen_id and sig_id, as well as the conditions under which to ignore. Let's say we had a system that regularly performs gobs of reverse DNS lookups, and as such generates a lot of NXDOMAIN queries. This can often indicate network reconnaissance, but in this case it is expected behavior. We could ignore it using:
suppress gen_id 1, sig_id 13948, track by_dst, ip 10.10.8.240
For standard "alert" rules the gen_id is always 1, the SID we want to ignore is 13948, and the host that's performing all of these lookups is '10.10.8.240'.
Specific Request
In the situation you're laying out you should be able to get away with something like:
pass icmp 10.10.8.200/32 any <> any any (msg: "Ignore all ICMP Traffic by Host"; sid: 1000087;)
Similar to the IP based rule above, this should ignore any ICMP traffic that comes from '10.10.8.200', no matter who the destination is.
Additional Resources
These rules can, of course, get more complicated, but you'll want to read some more documentation on the specifics. Your best bet is to just do a few google searches and chunk through them, but useful documentation that I've found is (in no particular order):
Best Answer
Pulled Pork is now considered the recommended rule updating system for Snort. While it is not an official Sourcefire product, it is developed by a Sourcefire employee.
The syntax is slightly more complicated than oinkmaster, however a contributed script, oink-conv.pl, will read in your oinkmaster config and convert it to pulledpork syntax making system conversions much easier.
In addition to update standard rules, it is also capable of managing the so_rules that were previously a manual process.