Snort mailing list archives
Re: exclude home_net from external_net
From: Alberto Gonzalez <ag-snort () cerebro violating us>
Date: Thu, 24 Oct 2002 09:56:59 -0700
var EXTERNAL_NET !$HOME_NET pilsl () goldfisch at wrote:
I'm quite new to snort. I set the home_net to my internal-net and external_net to any Now I got myriads of alerts when internal clients connect to our squid server. Of course this is not what I want (alerts are only userful on external connects), so I took a close look at the corresponding rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S; classtype:attempted-recon; sid:618; rev:2;)sid-msg.map:618 || SCAN Squid Proxy attempt In that sense of course any connect from HOME_NET to HOME_NET will raise an alert, cause home_net is a real subnet of EXTERNAL_NET. So I think it would be wide to define EXTERNAL_NET as "ANY but not HOME_NET". Is there any reason why I dont want to do this ? If not: how could I do this ? In the docs I found only way to specify include-changes but no ways to specify exclude-ranges. Of course I could remove the whole rule on the sensor for the internal interface, but I'd like to keep both rulesets consistent for easier maintainance. best, peter
-- The secret to success is to start from scratch and keep on scratching. -------------------------------------------------------This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- exclude home_net from external_net pilsl (Oct 24)
- Re: exclude home_net from external_net Alberto Gonzalez (Oct 24)
- Re: exclude home_net from external_net Gary Flynn (Oct 24)