Snort mailing list archives
Re: Exclude one IP
From: Joel Esler <joel.esler () sourcefire com>
Date: Wed, 2 Nov 2005 11:46:34 -0500
Thanks for all the interest in this issue and I'm sorry for the confusion my responses have caused. I apologize for not properly verifying the information before answering emails. After doing all my homework right this time, here is the relevant information.
Question: How do I exclude one particular IP from an included range in a HOME_NET.
Example: [10.1.10.0/24], say we wanted to exclude one particular IP: 10.1.10.24 from that range, to have that one .24 IP analyzed as "EXTERNAL_NET". Things you cannot do: var HOME_NET [10.1.10.0/24,!10.1.10.24] (won't work) var HOME_NET [10.1.10.0:23,10.1.10.25:254] (won't work) Things you can do: - Use Pass rules: - pass tcp $HOME_NET any -> 10.1.10.24 any (msg:"Pass rule for \ 10.1.10.24 tcp"; sid:1000000000;) - pass udp $HOME_NET any -> 10.1.10.24 any (msg:"Pass rule for \ 10.1.10.24 udp"; sid:10000000001;) - pass icmp $HOME_NET any -> 10.1.10.24 any (msg:"Pass rule for \ 10.1.10.24 ICMP"; sid:1000000002;) - Use suppression - suppress track by_dst 10.1.10.24 - Use a BPF - (at the end of the command line) "not host 10.1.10.24" - as an included bpf file ( at the command line ) -F snort.bpf - Define the home net differently - var HOME_NET [10.1.10.0/28,10.1.10.16/32, 10.1.10.17/32,\ 10.1.10.18/32,10.1.10.19/32,10.1.10.20/32,10.1.10.21/32,\ 10.1.10.22/32,10.1.10.23/32,10.1.10.25/32...10.1.10.128/32\ ,10.1.10.129/25] NOTE: this line is not complete, I'm not going to write them all :PI will have this information added to the FAQ and documentation shortly. Again, my apologies to all and hopefully this clears it up. Back to guzzling Orange Juice.
Joel Esler ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Exclude one IP, (continued)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Matt Kettler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Paul Schmehl (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Matt Kettler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Matt Kettler (Nov 01)
- RE: Exclude one IP Paul Melson (Nov 02)
- Re: Exclude one IP Joel Esler (Nov 02)
- Re: Exclude one IP Matt Kettler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)