R: Alert from Internal Net as Attacker

[Giuseppe Morici <giuseppe.morici () e-gate it>]

Hello,
yes of course , already did , the home net , and external net are configured property.


Distinti Saluti
Giuseppe Morici
Help Desk e-GATE s.r.l.
Uff.: +39 0112306001
Fax:+39 0112309130
Mobile:+39 3280389284
[cid:image002.png@01D14D50.064877B0]
www.e-gate.it<http://www.e-gate.it/>
www.e-gate.to.it<http://www.e-gate.to.it/>
The information contained in this e-mail message is attorney privileged and confidential information intended only for 
the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the 
employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, 
distribution or copying of this communication is strictly prohibited. If you have received this communication in error, 
please immediately notify us by telephone or e-mail.

Da: Al Lewis (allewi) [mailto:allewi () cisco com]
Inviato: martedì 12 gennaio 2016 15:33
A: Giuseppe Morici <giuseppe.morici () e-gate it>; snort-users () lists sourceforge net
Oggetto: RE: Alert from Internal Net as Attacker

Have you tried adding !10.0.10.100 to your HOME_NET or to the rule for that specific alert?

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Giuseppe Morici [mailto:giuseppe.morici () e-gate it]
Sent: Tuesday, January 12, 2016 8:25 AM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Alert from Internal Net as Attacker

Hello,
i've a question and hope that someone can give me some answer about.
There is a possibility of exlude alert when the "source" it's a range of ip or aliases?
The ip in source is an Internal net ip (of course is in whitelist and in Default list as home net) , infact the alert 
pop up but don't go in blocked list cause the ip is whitelisted.
There is a possibility to exclude the alert only if source is internal net without disable the rules and let them to 
work for "real" attak? (this is just for limite the spam in alert list)
Thanks for your help.
[cid:image003.png@01D14D50.064877B0]

Distinti Saluti
Giuseppe Morici
Help Desk e-GATE s.r.l.
Uff.: +39 0112306001
Fax:+39 0112309130
Mobile:+39 3280389284
[cid:image002.png@01D14D50.064877B0]
www.e-gate.it<http://www.e-gate.it/>
www.e-gate.to.it<http://www.e-gate.to.it/>
The information contained in this e-mail message is attorney privileged and confidential information intended only for 
the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the 
employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, 
distribution or copying of this communication is strictly prohibited. If you have received this communication in error, 
please immediately notify us by telephone or e-mail.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!