Re: Exclude one IP

[Joel Esler <joel.esler () sourcefire com>]

I think John was trying to have a whole range of IP's of HOME_NET and  
then one particular IP may have been dual-homed, or in a  
DMZ....etc...  You still want it analyzed, but not as HOME_NET.  If  
you use a pass rule or a bpf, it is totally ignored.  That's not good.

J





On Nov 1, 2005, at 6:39 PM, Paul Schmehl wrote:

> --On Tuesday, November 01, 2005 13:20:17 -0500 Joel Esler  
> <joel.esler () sourcefire com> wrote:
>
> > Matt,
> >
> >
> > Thanks for your email, however,
> >
> >
> > var HOME_NET [10.1.10.0/24,!10.1.10.24]
> > var EXTERNAL_NET !$HOME_NET
> >
> >
> > Will make HOME_NET everything in that range the HOME_NET except  
> > for that
> > one machine, then makes EXTERNAL_NET everything else including  
> > that one
> > machine.
> Just curious.  If you want to ignore one machine, why not use a  
> pass rule? Or a berkley filter?
>
> pass ip 10.1.10.24 any -> any any (msg:"Ignore this host";sid: 
> 1000001;rev:1;)
> pass ip any any -> 10.1.10.24 any (msg:"Ignore this host";sid: 
> 1000002;rev:1;)
>
> or start snort with a bpf filter: echo "not host 10.1.10.24" >  
> ignore.bpf
>
> snort -F ignore.bpf
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users