Snort mailing list archives
Exclude Source?
From: "Darren Young" <darren () younghome com>
Date: Sun, 9 Jun 2002 13:37:13 -0500
Is it possible to exclude based on the source IP address only? Problem: I have a Linux (iptables) firewall connected to the Internet with a static IP using masquerading. Many times internal connections going out will trigger false alarms, especially portscans, and contain the external IP of my firewall as the source IP. My snort sensor is sitting outside the firewall connected to the hub that my dsl line and firewall connect to via a stealth interface so it can see everything. Is it wise to simply say "don't bother with any traffic that the source IP is the external interface" or should I be more detailed? Perhaps just tell the portscan preprocessor this? ************************************************************ ** Darren Young ** ** UNIX, Network & Security Consultant ** ** YHL Solutions ** ** darren () younghome com ** ** PGP: 6BAF 11AC D6D4 4F4F A94A C5AC 5926 5FC1 8A9F CC6D ** ************************************************************ _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Exclude Source? Darren Young (Jun 09)
- Re: Exclude Source? John Sage (Jun 09)