snort not ignoring traffic

[Tyler Owen <t.l.owen () larc nasa gov>]

I am having two problems with snort not ignoring traffic.  

My Config: I have two sensors running snort 1.8.3 logging to a central
mysql database.  They both have the same snort.conf and same rules. 
Where I am located on the network I see local traffice as well as
external traffic.  I am using DEMARC to view and manage the alerts and
also to configure the sensors.  I am also running snort with the -o
option for my pass rule.

Problem 1: I want to ignore all of the local traffic and only get
"alerts" on external to local traffic.  I have set HOME_NET
[172.24.0.0/16,10.10.0.0/16] and EXTERNAL_NET !$HOME_NET (first of all
is that OK?) but I still see the traffic.  I have also tried setting
EXTERNAL_NET !172.24.0.0/16 and I still see the traffic between local
hosts.

Problem 2:  I set a variable to be the IPs of hosts that run
vulnerability scans internally to ignore traffic from them.  This works
on one of the sensors but not the other??  The rule is: 

pass tcp $INFO_SEC_PCS any -> any any;

Any ideas why this would work on one host but not the other?


Thanks for you time!

Tyler


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users