Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Exclude IP addresses for all rules

From: Jens Krabbenhoeft <tschenz-snort-users () noris net>
Date: Mon, 16 Dec 2002 09:11:15 +0100
Hi,


I want to exclude IP addresses in my home net from being watched at
all.


As you write 'being watched at all' the best thing to do is to ignore
the IPs via BPF. Have a look at Erek Adams post:

http://marc.theaimsgroup.com/?l=snort-users&m=102347618314311&w=2

Try starting snort with "snort -options.... not host 192.168.1.1 and not
host 192.168.1.2".


var HOME_NET [!$EXCLUDE,192.168.1.0/24]


The problem is, that you have an ORed list in HOME_NET. !192.168.1.1 OR
192.168.1.0/24 matches on all IPs in 192.168.1.0/24.

Have a look at my last week's post at
http://marc.theaimsgroup.com/?l=snort-users&m=103942066423750&w=2

HTH,
        Jens


-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: