Snort mailing list archives
Re: Exclude IP addresses for all rules
From: Jens Krabbenhoeft <tschenz-snort-users () noris net>
Date: Mon, 16 Dec 2002 09:11:15 +0100
Hi,
I want to exclude IP addresses in my home net from being watched at all.
As you write 'being watched at all' the best thing to do is to ignore the IPs via BPF. Have a look at Erek Adams post: http://marc.theaimsgroup.com/?l=snort-users&m=102347618314311&w=2 Try starting snort with "snort -options.... not host 192.168.1.1 and not host 192.168.1.2".
var HOME_NET [!$EXCLUDE,192.168.1.0/24]
The problem is, that you have an ORed list in HOME_NET. !192.168.1.1 OR 192.168.1.0/24 matches on all IPs in 192.168.1.0/24. Have a look at my last week's post at http://marc.theaimsgroup.com/?l=snort-users&m=103942066423750&w=2 HTH, Jens ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Exclude IP addresses for all rules Filbert (Dec 15)
- Re: Exclude IP addresses for all rules James-lists (Dec 15)
- Re: Exclude IP addresses for all rules James-lists (Dec 15)
- Re: Exclude IP addresses for all rules Jens Krabbenhoeft (Dec 16)