[Snort-users] Why doesn't this work?

Martin Roesch roesch at ...1...
Thu Jul 20 09:50:15 EDT 2000


var INTERNAL 200.0.0.0/8 (see below)

Remove it to stop alerts to that domain....

"Ralf Günthner" wrote:
> 
> I have lots of internal nets, most of them in the 10.x range but also 200.* and others. I start snort with this config file:
> 
> var INTERNAL 10.0.0.0/8
> var EXTERNAL !10.0.0.0/8
> var HOME_NET $INTERNAL
> include /root/snort/vision.conf.txt
> include /root/snort/06082k.rules.txt

  vvvvvvvvvvvvvvvvvvvvvvvv
> var INTERNAL 200.0.0.0/8
  ^^^^^^^^^^^^^^^^^^^^^^^^

> var EXTERNAL !10.0.0.0/8
> var HOME_NET $INTERNAL
> include /root/snort/vision.conf.txt
> include /root/snort/06082k.rules.txt
> 
> starup command for snort:
> snort -i eth0 -h 10.0.0.0/8 -l ./log -o -e -d -c myrules.cfg &
> 
> But I'm still getting alerts on packets originating in the 200.x range. Can anyone point out what's wrong?
> 
> Thanks
> Cheers
> Ralf
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list