Re: Excluding a single IP from HOME_NET

[Cees <celzinga () gmail com>]

Darryl: Thanks. I configured Snort that way after all too (however I
didn't knew about that ipcalc option and calculated the addresses by
hand...)

btw I posted a follow-up on this thread on the snort-devel list!

Cees

On Fri, Jun 6, 2008 at 2:24 PM, Darryl Taylor <taylordl () fastmail us> wrote:
> You could include all the networks that you want and not include then nets
> you don't. I needed help so I used ipcalc. To exclude 10.1.1.1 for example I
> used the calculations below. Then I would include everything except
> 10.1.1.0/31. That will remove both 10.1.1.0/32 and 10.1.1.1/32 but it
> basically does what you want without doing negations. There's probably some
> slicker way to do it but ....
> Hope that helps.
> dtaylor@cayman ~ $ ipcalc  10.0.0.0 - 10.1.1.1
> deaggregate 10.0.0.0 - 10.1.1.1
> 10.0.0.0/16
> 10.1.0.0/24
> 10.1.1.0/31
> dtaylor@cayman ~ $ ipcalc  10.1.1.2 - 10.255.255.255
> deaggregate 10.1.1.2 - 10.255.255.255
> 10.1.1.2/31
> 10.1.1.4/30
> 10.1.1.8/29
> 10.1.1.16/28
> 10.1.1.32/27
> 10.1.1.64/26
> 10.1.1.128/25
> 10.1.2.0/23
> 10.1.4.0/22
> 10.1.8.0/21
> 10.1.16.0/20
> 10.1.32.0/19
> 10.1.64.0/18
> 10.1.128.0/17
> 10.2.0.0/15
> 10.4.0.0/14
> 10.8.0.0/13
> 10.16.0.0/12
> 10.32.0.0/11
> 10.64.0.0/10
> 10.128.0.0/9
> Darryl
>
> On May 30, 2008, at 10:59 AM, Cees wrote:
>
> Didn't know about the "-o" flag, but that won't work after in my setup - I'm
> interested in traffic to and from the proxy server.
>
> > If however we want proxy to *not be part of external_net* then we can do
> > this:
> > var EXTERNAL_NET !10.0.0.0/8
>
> Thanks for testing. The proxy should be excluded from  HOME_NET, but
> included in EXTERNAL_NET, so this won't work either..
>
> Cees
>
> On Fri, May 30, 2008 at 3:03 PM, Jeff Kell <jeff-kell () utc edu> wrote:
> > Cees wrote:
> > > (BTW Jeff, a pass rule won't work since the IDS isn't placed inline.)
> >
> > If you use the pass rule, and run snort with "-o" so pass rules come
> > first, the net effect is that your excluded IP matches the pass rule and no
> > further rules are evaluated on that packet.
> >
> > Doesn't matter if you're inline or not.
> >
> > Jeff
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users