Snort mailing list archives
Re: suppresing events from private lan
From: hans <rosa.schwein () ma yer at>
Date: Thu, 17 Feb 2005 08:05:14 +0100
hi matt thanks for response. i didn't set HOME_NET in the config-file, as i do start snort with -h option. so the following should work for: var HOME_NET $bge0_ADDRESS [172.20.1.0/24] var EXTERNAL_NET !$HOME_NET bge0 is the plumbed interface up and running and bge2 is the if, where snort ist listening. therefore i would start snort with -i bge2 and without -h ok? best regards hans -- On Wed, Feb 16, 2005 at 05:42:51PM -0500, Matt Kettler wrote:
At 04:22 PM 2/16/2005, hans wrote:i want to suppress all events from my private lan, which has ip-adr 172.20.x.y ( rfc 1918 ) reading http://www.snort.org/docs/snort_manual/node13.html i see gen_id and sig_id are required are there wildcards ?Don't do it that way.. suppress is really intended to fix one or two rules.. Instead, set EXTERNAL_NET to be !$HOME_NET.. this will take care of the majority of them. The few remaining rules you can use suppress, or you can take things to an extreeme and use a bpf statement on the snort command line to prevent snort from seeing the packets at all. (the bp filter format is the same one used by the tcpdump command line)question 2: what are AIM_SERVERS in my snort.configThe list of AOL instant messenger servers for the AIM detection rules. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: new user - snort is not droping pacekts, (continued)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Alex Butcher, ISC/ISYS (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Chris Vaughan (Feb 15)
- RE: new user - snort is not droping pacekts Joshua Berry (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Chris Vaughan (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- suppresing events from privat lan hans (Feb 16)
- Re: suppresing events from privat lan Matt Kettler (Feb 16)
- Re: suppresing events from private lan hans (Feb 16)
- Re: suppresing events from private lan Matt Kettler (Feb 17)
- Re: suppresing events from private lan hans (Feb 17)
- Re: suppresing events from private lan Matt Kettler (Feb 17)
- Re: suppresing events from private lan hans (Feb 18)
- suppresing events from privat lan hans (Feb 16)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)