Snort mailing list archives
Re: Exclude one IP
From: Joel Esler <joel.esler () sourcefire com>
Date: Wed, 2 Nov 2005 11:46:34 -0500
Thanks for all the interest in this issue and I'm sorry for the confusion my responses have caused. I apologize for not properly verifying the information before answering emails. After doing all my homework right this time, here is the relevant information.
Question: How do I exclude one particular IP from an included range in a HOME_NET.
Example: [10.1.10.0/24], say we wanted to exclude one particular IP:
10.1.10.24 from that range, to have that one .24 IP analyzed as
"EXTERNAL_NET".
Things you cannot do:
var HOME_NET [10.1.10.0/24,!10.1.10.24] (won't work)
var HOME_NET [10.1.10.0:23,10.1.10.25:254] (won't work)
Things you can do:
- Use Pass rules:
- pass tcp $HOME_NET any -> 10.1.10.24 any (msg:"Pass rule for \
10.1.10.24 tcp"; sid:1000000000;)
- pass udp $HOME_NET any -> 10.1.10.24 any (msg:"Pass rule for \
10.1.10.24 udp"; sid:10000000001;)
- pass icmp $HOME_NET any -> 10.1.10.24 any (msg:"Pass rule for \
10.1.10.24 ICMP"; sid:1000000002;)
- Use suppression
- suppress track by_dst 10.1.10.24
- Use a BPF
- (at the end of the command line) "not host 10.1.10.24"
- as an included bpf file ( at the command line ) -F snort.bpf
- Define the home net differently
- var HOME_NET [10.1.10.0/28,10.1.10.16/32, 10.1.10.17/32,\
10.1.10.18/32,10.1.10.19/32,10.1.10.20/32,10.1.10.21/32,\
10.1.10.22/32,10.1.10.23/32,10.1.10.25/32...10.1.10.128/32\
,10.1.10.129/25]
NOTE: this line is not complete, I'm not going to write them all :P
I will have this information added to the FAQ and documentation
shortly. Again, my apologies to all and hopefully this clears it up.
Back to guzzling Orange Juice.
Joel Esler ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Exclude one IP, (continued)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Matt Kettler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Paul Schmehl (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Matt Kettler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Matt Kettler (Nov 01)
- RE: Exclude one IP Paul Melson (Nov 02)
- Re: Exclude one IP Joel Esler (Nov 02)
- Re: Exclude one IP Matt Kettler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)