Re: help with file bpf and ip 0.0.0.0

[hernani coelho <hernani_coelho () msn com>]

	#1-(1-7332) 
<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%231-%281-7332%29&sort_order=> 
	[snort <http://www.snort.org/search/sid/129-15>] stream5: Reset outside 
window 	2016-01-20 12:15:53 	64.4.8.0 
<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=64.4.8.0&netmask=32> 
	0.0.0.0 
<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=0.0.0.0&netmask32> 	

i put filter snort.conf

ipvar HOME_NET [192.168.1.66/24,0.0.0.0/8]
ipvar EXTERNAL_NET any

i now put in  /etc/snort/threshold.conf -- src ip 0.0.0.0/8 and works 
but not for 64.4.8.0  for dst ip 0.0.0.0/8 don't work
thanks

hernani
On 20-01-2016 11:54, James Lay wrote:
> What are the alerts (post sample), where did you put the filter at 
> (snort.conf or command line), and what are your HOME_NET and 
> EXTERNAL_NET set to?
>
> James
>
> On Wed, 2016-01-20 at 09:44 +0000, hernani coelho wrote:
> > nobody can help me??
> >
> > On 18-01-2016 10:47, hernani coelho wrote:
> > > hello,
> > >
> > > i install snort and work but i receive much alerts from ip 0.0.0.0 , i
> > > put in file BPF this -->
> > >
> > > not ( ip host (192.168.1.66 or 0.0.0.0))
> > >
> > > for the first ip it work but for ip 0.0.0.0 no work i receive much
> > > alerts.
> > >
> > > what can i do to ignore alerts from ip 0.0.0.0
> > >
> > > can someone help me??
> > >
> > > thanks
> > >
> > > hernani
> >
> >
> > ------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > Monitor end-to-end web transactions and take corrective actions now
> > Troubleshoot faster and improve end-user experience. Signup Now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net 
> > <mailto:Snort-users () lists sourceforge net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!