Re: ignoring unwanted traffic comming from source

["Emre Yildirim" <emre () vsrc uab edu>]

> Emre:
>
> OK: let's see..
>
> If you're setting HOME_NET and EXTERNAL_NET the same, then a lot of the  rules
> will end up applying to most anything, because the rule sees no  difference in
> incoming versus outgoing...
>
> I think you've got to set $HOME_NET to the IP block of your internal  network.
>
> If, as you said below you tried 12.34.56.78/24 -- that won't work unless  you
> really did 12.34.56.0/24 to indicate a netblock.
>
> 12.34.56.78 as a single host would want to be 12.34.56.78/32 -- the /32
> indicating that this is *one* computer only.

okay, here's what I did:  I set HOME_NET to 12.34.56.78/32 and EXTERNAL_NET is still set
to any.  I tried port scanning from the machine and then port scanning the machine from
some other machine (if that makes any sense).  The port scan showed up in the alerts
when I scanned 12.34.56.78 from some other machine, but no port scan alerts showed up
when I scanned some other machine from 12.34.56.78.  So I guess it's working?  I have to
give it a few days run time to see how many alerts get generated, and see if any of
thosehave a source of 12.34.56.78.  If none of them do, it worked.  It's been a long time
sinceI setup snort (and it seems like it changed alot over a year)...forgive me :-D

Thanks for the help!



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users