Snort mailing list archives
Re: Excluding $HOME_NET -> $HOME_NET Alerts
From: Ed Kasky <ed () esson net>
Date: Mon, 20 May 2002 09:21:20 -0700
Michael,The only problem with this is that it changes the "Signature" description of each Alert to "(External) Incoming
traffic."Can it be done without the msg description so that it leaves Snort's description?
Ed ~~ At 11:36 AM Monday, 5/20/2002, Michael Boman wrote -=>
You could create a 'pass' rule. var HOME_NET [10.1.1.0/24,10.1.2.0/24] var EXTERNAL_NET !$HOME_NET var IGNORE_THIS_BOX [10.2.1.92] pass ip $IGNORE_THIS_BOX any -> $HOME_NET any (msg:"I am ignoring you";) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"(External) Incomming traffic";) and start snort with '-o'. Be carefull thought, too many pass rules and performance is dropping dramaticly.
Ed Kasky Los Angeles, CA . . . . . . . . Jumping to conclusions can be a bad exercise. _______________________________________________________________ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Excluding $HOME_NET -> $HOME_NET Alerts Ed Kasky (May 19)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Michael Boman (May 19)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Ed Kasky (May 19)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Michael Boman (May 19)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Ed Kasky (May 20)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Michael Boman (May 20)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Ed Kasky (May 19)
- Re: Excluding $HOME_NET -> $HOME_NET Alerts Michael Boman (May 19)