Snort mailing list archives
Re: ignoring unwanted traffic comming from source
From: "Emre Yildirim" <emre () vsrc uab edu>
Date: Sun, 9 Dec 2001 00:29:28 -0600 (CST)
Emre: OK: let's see.. If you're setting HOME_NET and EXTERNAL_NET the same, then a lot of the rules will end up applying to most anything, because the rule sees no difference in incoming versus outgoing... I think you've got to set $HOME_NET to the IP block of your internal network. If, as you said below you tried 12.34.56.78/24 -- that won't work unless you really did 12.34.56.0/24 to indicate a netblock. 12.34.56.78 as a single host would want to be 12.34.56.78/32 -- the /32 indicating that this is *one* computer only.
okay, here's what I did: I set HOME_NET to 12.34.56.78/32 and EXTERNAL_NET is still set to any. I tried port scanning from the machine and then port scanning the machine from some other machine (if that makes any sense). The port scan showed up in the alerts when I scanned 12.34.56.78 from some other machine, but no port scan alerts showed up when I scanned some other machine from 12.34.56.78. So I guess it's working? I have to give it a few days run time to see how many alerts get generated, and see if any of thosehave a source of 12.34.56.78. If none of them do, it worked. It's been a long time sinceI setup snort (and it seems like it changed alot over a year)...forgive me :-D Thanks for the help! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ignoring unwanted traffic comming from source Emre Yildirim (Dec 09)
- Re: ignoring unwanted traffic comming from source John Sage (Dec 09)
- Re: ignoring unwanted traffic comming from source Emre Yildirim (Dec 09)
- Re: ignoring unwanted traffic comming from source John Sage (Dec 09)
- Re: ignoring unwanted traffic comming from source Emre Yildirim (Dec 09)
- Re: ignoring unwanted traffic comming from source Emre Yildirim (Dec 09)
- Re: ignoring unwanted traffic comming from source John Sage (Dec 09)
- <Possible follow-ups>
- RE: ignoring unwanted traffic comming from source Ryan Hill (Dec 10)