Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: exclude home_net from external_

From: "larc" <larc () pandora be>
Date: Thu 24 Oct 2002 15:47:48 +0200
hi,

if you want to exclude your home_net change
var EXTERNAL_NET = !$HOME_NET

Stefan

------------------------
 pilsl () goldfisch at wrote:
------------------------
I'm quite new to snort.  I set the home_net to my internal-net and

external_net to any

Now I got myriads of alerts when internal clients connect to our squid
server. Of course this is not what I want (alerts are only userful on
external connects), so I took a close look at the corresponding rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy
attempt"; flags:S; classtype:attempted-recon; sid:618;
rev:2;)sid-msg.map:618 || SCAN Squid Proxy attempt


In that sense of course any connect from HOME_NET to HOME_NET will
raise an alert, cause home_net is a real subnet of EXTERNAL_NET.

So I think it would be wide to define EXTERNAL_NET as "ANY but not
HOME_NET".

Is there any reason why I dont want to do this ?  If not: how could I
do this ? In the docs I found only way to specify include-changes but
no ways to specify exclude-ranges.


Of course I could remove the whole rule on the sensor for the internal
interface, but I'd like to keep both rulesets consistent for easier
maintainance.

best,
peter




-- 
mag. peter pilsl
IT-Consulting
tel: +43-699-1-3574035
fax: +43-699-4-3574035
pilsl () goldfisch at


-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: