Snort mailing list archives
RE: Home_net & external_net
From: "Don" <Don () WeberOnTheWeb com>
Date: Fri, 6 Dec 2002 11:01:08 -0800
well, the original email that started this, he had 3 subnets in the home_net variable, yet wanted to get alerts from only 1 of those subnets while still ignoring the other 2, so with the following var HOME_NET [192.168.40.0/24,10.14.0.0/16,66.166.50.0/24] var TRUSTED_NET [192.168.40.0/24,66.166.50.0/24] var EXTERNAL_NET !$TRUSTED_NET would result in no alerts at all for the 2 subnets in trusted_net yet allow alerts for that '3rd' subnet in home_net if trusted_net and home_net were to contain exactly all of the same subnets it would be redundant. trusted_net allows for you to modify the one line by adding or removing subnets as you wish and leaving the rules as is, it has made things alot easier for me. you dont have to put subnets in the trusted_net you can use single IP's as well, and for instance, ignore yourself for a day, or for testing, then remove the IP when you dont want it ignored any longer. if you always use external net for alerts it probably would make no diff at all, but i've done this to narrow down false positives on numerous alerts, lets say i dont want icmp alerts from 192.168.40.0 but i want all other alerts, so i put 192.168.40.0 in trusted_net and in the alert rule i change external_net to !$trusted_net and i'm ok, however leaving it as external_net i would get alerts form it that i dont want, doing this keeps all other alerts in place. especially when external net isn't always everything that you have in external_net, sometimes I want alerts from IP 1, and not IP 2, and vice-versa Don
However, I don't understand why setting up: var TRUSTED_NET [192.168.40.0/24,10.14.0.0/16] var EXTERNAL_NET !$TRUSTED_NET Is any different than: var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16]
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Home_net & external_net, (continued)
- RE: Home_net & external_net Don (Dec 05)
- Re: Home_net & external_net Erek Adams (Dec 05)
- RE: Home_net & external_net Jeremy Finke (Dec 06)
- RE: Home_net & external_net Erek Adams (Dec 06)
- RE: Home_net & external_net Don (Dec 06)
- RE: Home_net & external_net Erek Adams (Dec 06)
- RE: Home_net & external_net Erek Adams (Dec 06)
- RE: Home_net & external_net Jeremy Finke (Dec 06)
- RE: Home_net & external_net Erek Adams (Dec 06)
- Re: Home_net & external_net Jens Krabbenhoeft (Dec 09)
- RE: Home_net & external_net Jeremy Finke (Dec 06)
- RE: Home_net & external_net Don (Dec 06)