Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort not ignoring traffic

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 14 Jan 2002 13:57:28 -0500
Tyler Owen wrote:


I am having two problems with snort not ignoring traffic.

My Config: I have two sensors running snort 1.8.3 logging to a central
mysql database.  They both have the same snort.conf and same rules.
Where I am located on the network I see local traffice as well as
external traffic.  I am using DEMARC to view and manage the alerts and
also to configure the sensors.  I am also running snort with the -o
option for my pass rule.

Problem 1: I want to ignore all of the local traffic and only get
"alerts" on external to local traffic.  I have set HOME_NET
[172.24.0.0/16,10.10.0.0/16] and EXTERNAL_NET !$HOME_NET (first of all
is that OK?) but I still see the traffic.  I have also tried setting
EXTERNAL_NET !172.24.0.0/16 and I still see the traffic between local
hosts.


Setting the EXTERNAL_NET like that is fine, but because you're using IP
lists the ! doesn't really apply in a commutative manner.  Try

var EXTERNAL_NET [!172.24.0.0/16,!10.10.0.0/16]


Problem 2:  I set a variable to be the IPs of hosts that run
vulnerability scans internally to ignore traffic from them.  This works
on one of the sensors but not the other??  The rule is:

pass tcp $INFO_SEC_PCS any -> any any;

Any ideas why this would work on one host but not the other?


Not really, unless the IP is wrong.  You might try 

pass ip $INFO_SEC_PCS any -> any any

and don't close it with a semicolon, it's not needed to terminate a
rule-header-only rule.

    -Marty

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: