[Snort-users] Multiple networks and port-scanning...

Peter Bates peter.bates at ...79...
Wed Jul 26 11:33:14 EDT 2000


Hello all...


A bit of a novice couple of questions
here, so hopefully you can bear with me...


I have 12 non-contiguous (well, there
are in fact 3 blocks of 4 contiguous Class C networks)
Class C's, and I'm trying to cover them
under rules in snort...

I have:

var HOME_NET x.x.x.x/22
var HOME_NET2 y.y.y.y/22
var HOME_NET3 z.z.z.z/22

the questions are:

What sort of pass rules can
I write to pretty much exclude
traffic between these networks
(foolhardy from the point of 'internal' attacks, but there you go)...


And then I have:

preprocessor portscan: x.x.x.x/22 3 5 /var/log/snort_portscan.log
preprocessor portscan-ignorehosts: $HOME_NET,$HOME_NET2,$HOME_NET3


will the ignorehosts line work, interpolating the values?


and can I somehow have have the portscan
line cover all of the 3 blocks mentioned
in HOME_NET,HOME_NET2 and HOME_NET3???



Thanks...




-- 
---------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax:0207-436 5389 / Pager: 07625 255362




More information about the Snort-users mailing list