Netbios rules and keeping snort quiet about them ;)

[James Nonya <slave_tothe_box () yahoo com>]

Good Morning all!

Here's my setup:  I have two routers one in each
building.  Building A is 10.1.0.0/24 and building B is
10.2.0.0/24.  My internal/external net settings in
snort.conf are:

var EXTERNAL_NET [!10.1.0.0/16,!10.2.0.0/15,ANY]

I have TRIED to set my NT NULL session alert to:

alert tcp [!10.1.0.0/16,!10.2.0.0/16] any -> $HOME_NET
139

I will STILL get hits on this...I'm not sure how to
tell snort to ignore the rule if it's source is 10
based.  Anyone have this same issue?  Thanks!

James

__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users