Snort mailing list archives
Re: How to exclude alerts from within my home network.
From: Italo Antonio <imigotto () proteus com br>
Date: Fri, 14 Sep 2001 15:12:44 -0400
Thats because some rules are based on what your systems return to the offender, for example: info.rules:alert tcp any any -> any any (msg:"INFO id check returned root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:1;) that means someone rooted a box, but you cant get it by the packets that the attacker sent, you need to examine what your systems returned. Anyway, which are the attacks you're getting? Italo. Peter Borner wrote:
In my snort.conf file I have set HOME_NET to the IP address and mask of my internal LAN and then set EXTERNAL_NET to !$HOME_NET I was hoping this would avoid recording alerts from machines within my home network. However, I am still seeing numerous alerts from these machines being recorded in the database. Have I done something wrong? Thanks, Peter
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to exclude alerts from within my home network. Peter Borner (Sep 14)
- Re: How to exclude alerts from within my home network. Randy Bradley (Sep 14)
- Re: How to exclude alerts from within my home network. Italo Antonio (Sep 14)