Re: How to exclude alerts from within my home network.

[Italo Antonio <imigotto () proteus com br>]

Thats because some rules are based on what your systems return to the
offender, for example:

info.rules:alert tcp any any -> any any (msg:"INFO id check returned
root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498;
rev:1;)

that means someone rooted a box, but you cant get it by the packets that
the attacker sent, you need to examine what your systems returned.
Anyway, which are the attacks you're getting?

Italo.

Peter Borner wrote:

> In my snort.conf file I have set HOME_NET to the IP address and mask of
> my internal LAN and then set EXTERNAL_NET to !$HOME_NET
>
> I was hoping this would avoid recording alerts from machines within my
> home network. However, I am still seeing numerous alerts from these
> machines being recorded in the database. Have I done something wrong?
>
> Thanks,
>
> Peter


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users