Snort mailing list archives
Re: Exclude Source?
From: John Sage <jsage () finchhaven com>
Date: Sun, 9 Jun 2002 15:12:00 -0700
hmm.. How do you have $HOME_NET set? - John -- Warning: time of day goes back, taking countermeasures. PGP key http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 On Sun, Jun 09, 2002 at 01:37:13PM -0500, Darren Young wrote:
Is it possible to exclude based on the source IP address only? Problem: I have a Linux (iptables) firewall connected to the Internet with a static IP using masquerading. Many times internal connections going out will trigger false alarms, especially portscans, and contain the external IP of my firewall as the source IP. My snort sensor is sitting outside the firewall connected to the hub that my dsl line and firewall connect to via a stealth interface so it can see everything. Is it wise to simply say "don't bother with any traffic that the source IP is the external interface" or should I be more detailed? Perhaps just tell the portscan preprocessor this? ************************************************************ ** Darren Young ** ** UNIX, Network & Security Consultant ** ** YHL Solutions ** ** darren () younghome com ** ** PGP: 6BAF 11AC D6D4 4F4F A94A C5AC 5926 5FC1 8A9F CC6D ** ************************************************************
_______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Exclude Source? Darren Young (Jun 09)
- Re: Exclude Source? John Sage (Jun 09)