Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Exclude Source?

From: "Darren Young" <darren () younghome com>
Date: Sun, 9 Jun 2002 13:37:13 -0500
Is it possible to exclude based on the source IP address only? Problem: I
have a Linux (iptables) firewall connected to the Internet with a static IP
using masquerading. Many times internal connections going out will trigger
false alarms, especially portscans, and contain the external IP of my
firewall as the source IP. My snort sensor is sitting outside the firewall
connected to the hub that my dsl line and firewall connect to via a stealth
interface so it can see everything. Is it wise to simply say "don't bother
with any traffic that the source IP is the external interface" or should I
be more detailed? Perhaps just tell the portscan preprocessor this?

************************************************************
** Darren Young                                           **
** UNIX, Network & Security Consultant                    **
** YHL Solutions                                          **
** darren () younghome com                                   **
** PGP: 6BAF 11AC D6D4 4F4F A94A C5AC 5926 5FC1 8A9F CC6D **
************************************************************


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: