Snort mailing list archives

Re: one IP

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 04 Feb 2004 11:54:00 -0500

At 07:49 AM 2/4/2004, Keming wrote:

Hi,

Im trying to monitor only one IP as destination of the subnet but

snort.conf -> var HOME_NET 1.2.3.4/32
and/or
snort.conf -> var HOME_NET 1.2.3.4

seems to obsevere and alert all in this subnet (as destinaton) ?

That should work, but it will only work for rules, and only rules thatactualy reference the HOME_NET.

There's a few rules in the ruleset which use 'any' where they should useHOME_NET.

And the preprocessors are mostly unaffected by HOME_NET.. so any alertsspit out by the preprocessors won't be limited to HOME_NET.



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

one IP Keming (Feb 04)
- Re: one IP Matt Kettler (Feb 04)
- <Possible follow-ups>
- RE: one IP JP Vossen (Feb 05)