Re: Excluding $HOME_NET -> $HOME_NET Alerts

[Ed Kasky <ed () esson net>]

At 10:20 AM Monday, 5/20/2002, Michael Boman wrote -=>
> On Monday 20 May 2002 10:00, Ed Kasky wrote:
> > Is there a way to disable certain alerts from any home_net host to another
> > home_net host?  I back up my web server over the wire to a tape machine and
> > get flooded with "Shellcode X86 Noop" alerts whenever I run it.  I also get
> > a lot of "WEB-MISC long basic authorization string" alerts using acid to
> > view alerts in a mysql database.
> >
> > I was under the impression that "alert ip $EXTERNAL_NET any -> $HOME_NET"
> > took care of this.
> >
> >  From my snort.conf:
> > var HOME_NET 10.0.0.0/24
>
> And I bet you have:
>
> var EXTERNAL_NET any

Good guess...

> that matches any address, including those in HOME_NET. why not set
> EXTERNAL_NET to !$HOME_NET (everything BUT HOME_NET). This would how ever
> limit the ability to catch insiders....

I see what you mean if I change it in snort.conf.

Will this work in an individual rule:
"alert ip $EXTERNAL_NET !$HOME_NET -> $HOME_NET"

Or can I even make it more specific to exclude the one ip address that is 
causing the specific alert when backing up?
"alert ip $EXTERNAL_NET !10.0.0.3 -> $HOME_NET"


Ed Kasky
Los Angeles, CA
. . . . . . . .
~ The only thing infinite is our capacity for self-deception. ~


_______________________________________________________________
Hundreds of nodes, one monster rendering program.
Now that's a super model! Visit http://clustering.foundries.sf.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users