Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: suppresing events from private lan

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 17 Feb 2005 18:18:05 -0500
At 05:56 PM 2/17/2005, hans wrote:

thanks for answering again.
i did change the config due to your recommendations.
it seems, it is working as expected.

but this means, if snort could see an attack from
internet to my private lan ( it's really at home )
it would also log this to file, or whatever defined.


Yes. In general, snort rules look for attacks from EXTERNAL_NET to HOME_NET.
However, one thing to be aware of is to keep in mind what it's possible for snort to see.
Your 172.20.1.0/24 is a reserved non-routable IP range, implying you've got a NAT somewhere.... If snort is sniffing your outside interface on a NAT firewall, it's never going to see packets addressed there, and you should leave that part out. If snort is also sniffing a post-nat interface, then you want to include those IPs.
(Remember, outside of your private network, those addresses are not routeable, thus your ISP will never forward packets addressed to 172.20.1.0/24 to your network. They don't even know you are using that address space, nor do they care. They only care about the address you NAT against.) 




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: