[Snort-sigs] Ignoring just one host
GDanko at ...1711...
Mon Jul 28 13:56:03 EDT 2003
I currently have two snort sensors, one inside the firewall and one outside.
All internal traffic is nat'd through a single public IP address outside the
firewall. Here's the problem.
If a user on a public IP triggers an alert, I get two alerts for it. The
first alert is from the internal sensor on the private network. The second
alert is from the public nat'd IP address.
So I want to ignore all traffic on that public nat'd IP address. Here's what
I have on my external sensor.
var IGNORE_HOSTS 18.104.22.168
var HOME_NET [22.214.171.124/24,126.96.36.199/25,!$IGNORE_HOSTS]
var EXTERNAL_NET !$IGNORE_HOSTS
So 188.8.131.52 is my nat'd IP on the public network. I want to ignore it
from all traffix analysis. This doesn't seem to work. Did I do something
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs