Snort mailing list archives
snort not ignoring traffic
From: Tyler Owen <t.l.owen () larc nasa gov>
Date: 14 Jan 2002 12:44:02 -0500
I am having two problems with snort not ignoring traffic. My Config: I have two sensors running snort 1.8.3 logging to a central mysql database. They both have the same snort.conf and same rules. Where I am located on the network I see local traffice as well as external traffic. I am using DEMARC to view and manage the alerts and also to configure the sensors. I am also running snort with the -o option for my pass rule. Problem 1: I want to ignore all of the local traffic and only get "alerts" on external to local traffic. I have set HOME_NET [172.24.0.0/16,10.10.0.0/16] and EXTERNAL_NET !$HOME_NET (first of all is that OK?) but I still see the traffic. I have also tried setting EXTERNAL_NET !172.24.0.0/16 and I still see the traffic between local hosts. Problem 2: I set a variable to be the IPs of hosts that run vulnerability scans internally to ignore traffic from them. This works on one of the sensors but not the other?? The rule is: pass tcp $INFO_SEC_PCS any -> any any; Any ideas why this would work on one host but not the other? Thanks for you time! Tyler _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort not ignoring traffic Tyler Owen (Jan 14)
- Re: snort not ignoring traffic Martin Roesch (Jan 14)