[Snort-sigs] Ignoring just one host
SMoyer at ...758...
Mon Jul 28 14:27:08 EDT 2003
How about just passing the BPF expression 'not host 184.108.40.206' when starting snort?
From: Gary Danko [mailto:GDanko at ...1711...]
Sent: Monday, July 28, 2003 3:58 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Ignoring just one host
I currently have two snort sensors, one inside the firewall and one outside. All internal traffic is nat'd through a single public IP address outside the firewall. Here's the problem.
If a user on a public IP triggers an alert, I get two alerts for it. The first alert is from the internal sensor on the private network. The second alert is from the public nat'd IP address.
So I want to ignore all traffic on that public nat'd IP address. Here's what I have on my external sensor.
var IGNORE_HOSTS 220.127.116.11
var HOME_NET [18.104.22.168/24,22.214.171.124/25,!$IGNORE_HOSTS]
var EXTERNAL_NET !$IGNORE_HOSTS
So 126.96.36.199 is my nat'd IP on the public network. I want to ignore it from all traffix analysis. This doesn't seem to work. Did I do something wrong?
More information about the Snort-sigs