Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Home_net & external_net

From: "Don" <Don () WeberOnTheWeb com>
Date: Fri, 6 Dec 2002 11:01:08 -0800
well, the original email that started this, he had 3 subnets in the home_net variable, yet wanted to get alerts from 
only 1 of those subnets while still ignoring the other 2, so with the following
var HOME_NET [192.168.40.0/24,10.14.0.0/16,66.166.50.0/24] 
var TRUSTED_NET [192.168.40.0/24,66.166.50.0/24]
var EXTERNAL_NET !$TRUSTED_NET

would result in no alerts at all for the 2 subnets in trusted_net yet allow alerts for that '3rd' subnet in home_net
if trusted_net and home_net were to contain exactly all of the same subnets it would be redundant. trusted_net allows 
for you to modify the one line by adding or removing subnets as you wish and leaving the rules as is, it has made 
things alot easier for me. you dont have to put subnets in the trusted_net you can use single IP's as well, and for 
instance, ignore yourself for a day, or for testing, then remove the IP when you dont want it ignored any longer.
if you always use external net for alerts it probably would make no diff at all, but i've done this to narrow down 
false positives on numerous alerts, lets say i dont want icmp alerts from 192.168.40.0 but i want all other alerts, so 
i put 192.168.40.0 in trusted_net and in the alert rule i change external_net to !$trusted_net and i'm ok, however 
leaving it as external_net i would get alerts form it that i dont want, doing this keeps all other alerts in place. 
especially when external net isn't always everything that you have in external_net, sometimes I want alerts from IP 1, 
and not IP 2, and vice-versa

Don




However, I don't understand why setting up:
var TRUSTED_NET [192.168.40.0/24,10.14.0.0/16]
var EXTERNAL_NET !$TRUSTED_NET

Is any different than:
var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16]




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: