Re: suppresing events from private lan

[Matt Kettler <mkettler () evi-inc com>]

At 02:05 AM 2/17/2005, hans wrote:
> i didn't set HOME_NET in the config-file, as i do start
> snort with -h option.

Those are NOT the same thing.

-h has nothing to do with var HOME_NET, despite the blatantly confusing 
naming chosen (bad naming conventions are a common curse amongst 
programmers, snort's devels are no different.).

-h has to do with which side snort's text-mode alert output will present as 
the source of attack once an alert is detected. Thus, it changes the format 
of alerts, but does not impact wether an alert will be generated or not.

HOME_NET has to do with what targets will be monitored for attack in the 
rules. It doesn't change the output format, but does impact wether an alert 
will be generated or not.

Two totally different aspects of snort are involved, but in theory both 
should be set to the same thing... hence the common, and often confusing, 
name...


> so the following should work for:
>
> var HOME_NET $bge0_ADDRESS [172.20.1.0/24]

Hmm.. that won't work, when doing multiple ranges you need to have them all 
enclosed inside the brackets and separated by commas. I've never tried 
mixing interface and static addresses, but if it's supported, this would be 
the correct syntax:

var HOME_NET [$bge0_ADDRESS, 172.20.1.0/24]


> var EXTERNAL_NET !$HOME_NET



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users