Snort mailing list archives
RE: Home_net & external_net
From: "Don" <Don () WeberOnTheWeb com>
Date: Thu, 5 Dec 2002 17:25:25 -0800
Home_net & external_neti'm not sure if you can have the ANY there inside that parenths, mayb try a trusted_net variable, since your excluding one segment of your home_net do var TRUSTED_NET [192.168.40.0/24,!10.14.0.0/16] var EXTERNAL_NET !$TRUSTED_NET don -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jeremy Finke Sent: Thursday, December 05, 2002 4:20 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Home_net & external_net I have something that is driving me crazy. I have alerts going off from within two different segments of my HOME_NET. I don't understand why I am seeing these. Here are the 2 lines from my snort.conf: var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16] var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16] I have an alert from 10.14.1.50 going to 192.168.40.65 that is SNMP request udp. Why is that showing up? Since they are both HOME_NET networks, shouldn't snort not log this type of activity? I also have other examples: #7-(2-1418) [arachnids][snort] ICMP L3retriever Ping 2002-12-05 18:13:15 10.14.1.50 192.168.40.67 ICMP #9-(2-1426) [cve][icat][arachnids][snort] TELNET access 2002-12-05 18:15:41 192.168.40.53:23 10.14.14.182:1925 Thanks! Jeremy T. Finke Systems Engineer Meridian IQ
Current thread:
- Home_net & external_net Jeremy Finke (Dec 05)
- RE: Home_net & external_net Don (Dec 05)
- Re: Home_net & external_net Erek Adams (Dec 05)
- <Possible follow-ups>
- RE: Home_net & external_net Jeremy Finke (Dec 06)
- RE: Home_net & external_net Erek Adams (Dec 06)
- RE: Home_net & external_net Don (Dec 06)
- RE: Home_net & external_net Erek Adams (Dec 06)
- RE: Home_net & external_net Erek Adams (Dec 06)
- RE: Home_net & external_net Jeremy Finke (Dec 06)
- RE: Home_net & external_net Erek Adams (Dec 06)
- Re: Home_net & external_net Jens Krabbenhoeft (Dec 09)
- RE: Home_net & external_net Jeremy Finke (Dec 06)
- RE: Home_net & external_net Don (Dec 06)