Snort mailing list archives
Re: one IP
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 04 Feb 2004 11:54:00 -0500
At 07:49 AM 2/4/2004, Keming wrote:
Hi, Im trying to monitor only one IP as destination of the subnet but snort.conf -> var HOME_NET 1.2.3.4/32 and/or snort.conf -> var HOME_NET 1.2.3.4 seems to obsevere and alert all in this subnet (as destinaton) ?
That should work, but it will only work for rules, and only rules that actualy reference the HOME_NET.
There's a few rules in the ruleset which use 'any' where they should use HOME_NET.
And the preprocessors are mostly unaffected by HOME_NET.. so any alerts spit out by the preprocessors won't be limited to HOME_NET.
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- one IP Keming (Feb 04)
- Re: one IP Matt Kettler (Feb 04)
- <Possible follow-ups>
- RE: one IP JP Vossen (Feb 05)