Snort mailing list archives
Re: suppresing events from private lan
From: hans <rosa.schwein () ma yer at>
Date: Thu, 17 Feb 2005 23:56:08 +0100
hi matt thanks for answering again. i did change the config due to your recommendations. it seems, it is working as expected. but this means, if snort could see an attack from internet to my private lan ( it's really at home ) it would also log this to file, or whatever defined. best regards hans -- On Thu, Feb 17, 2005 at 01:50:45PM -0500, Matt Kettler wrote:
At 02:05 AM 2/17/2005, hans wrote:i didn't set HOME_NET in the config-file, as i do start snort with -h option.Those are NOT the same thing. -h has nothing to do with var HOME_NET, despite the blatantly confusing naming chosen (bad naming conventions are a common curse amongst programmers, snort's devels are no different.). -h has to do with which side snort's text-mode alert output will present as the source of attack once an alert is detected. Thus, it changes the format of alerts, but does not impact wether an alert will be generated or not. HOME_NET has to do with what targets will be monitored for attack in the rules. It doesn't change the output format, but does impact wether an alert will be generated or not. Two totally different aspects of snort are involved, but in theory both should be set to the same thing... hence the common, and often confusing, name...so the following should work for: var HOME_NET $bge0_ADDRESS [172.20.1.0/24]Hmm.. that won't work, when doing multiple ranges you need to have them all enclosed inside the brackets and separated by commas. I've never tried mixing interface and static addresses, but if it's supported, this would be the correct syntax: var HOME_NET [$bge0_ADDRESS, 172.20.1.0/24]var EXTERNAL_NET !$HOME_NET
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: new user - snort is not droping pacekts, (continued)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Chris Vaughan (Feb 15)
- RE: new user - snort is not droping pacekts Joshua Berry (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Chris Vaughan (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- suppresing events from privat lan hans (Feb 16)
- Re: suppresing events from privat lan Matt Kettler (Feb 16)
- Re: suppresing events from private lan hans (Feb 16)
- Re: suppresing events from private lan Matt Kettler (Feb 17)
- Re: suppresing events from private lan hans (Feb 17)
- Re: suppresing events from private lan Matt Kettler (Feb 17)
- Re: suppresing events from private lan hans (Feb 18)
- suppresing events from privat lan hans (Feb 16)