Snort mailing list archives
Re: ignoring unwanted traffic comming from source
From: John Sage <jsage () finchhaven com>
Date: Sat, 08 Dec 2001 21:14:45 -0800
Emre: OK: let's see..If you're setting HOME_NET and EXTERNAL_NET the same, then a lot of the rules will end up applying to most anything, because the rule sees no difference in incoming versus outgoing...
I think you've got to set $HOME_NET to the IP block of your internal network.
If, as you said below you tried 12.34.56.78/24 -- that won't work unless you really did 12.34.56.0/24 to indicate a netblock.
12.34.56.78 as a single host would want to be 12.34.56.78/32 -- the /32 indicating that this is *one* computer only.
- John Emre Yildirim wrote:
Emre: Do you have $HOME_NET set in any way?I have: var HOME_NET any var EXTERNAL_NET anyWhat snort version/rule sets are you using?I'm using the latest stable version (not development or CVS), and I'm using the default rule sets that came with the tarball. include bad-traffic.rules include exploit.rules include scan.rules include finger.rules include ftp.rules include smtp.rules include rpc.rules include rservices.rules include dos.rules include ddos.rules include dns.rules include tftp.rules include web-cgi.rules include web-misc.rules include web-attacks.rules include icmp.rules include netbios.rules include misc.rules include attack-responses.rules # include backdoor.rules # include shellcode.rules # include policy.rules # include porn.rules # include info.rules # include icmp-info.rules # include virus.rules include local.rulesWhat command line? What (if any..) edits to snort.conf?I didn't edit anything other than commenting out some rule sets. Was I supposed to supply an IP for $HOME_NET? I think I tried 12.34.56.78/24 instead of any before, but I can't remember if that solved the issue. All I really want is that snort only logs stuffGOING to 12.34.56.78 not COMMING from, i.e. where 12.34.56.78 is the destination. (PS I'm not really using 12.34.56.78, but my real IP which is different :-)
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ignoring unwanted traffic comming from source Emre Yildirim (Dec 09)
- Re: ignoring unwanted traffic comming from source John Sage (Dec 09)
- Re: ignoring unwanted traffic comming from source Emre Yildirim (Dec 09)
- Re: ignoring unwanted traffic comming from source John Sage (Dec 09)
- Re: ignoring unwanted traffic comming from source Emre Yildirim (Dec 09)
- Re: ignoring unwanted traffic comming from source Emre Yildirim (Dec 09)
- Re: ignoring unwanted traffic comming from source John Sage (Dec 09)
- <Possible follow-ups>
- RE: ignoring unwanted traffic comming from source Ryan Hill (Dec 10)