[Snort-users] rules precision

Raphael Bauduin rb at ...573...
Wed Oct 11 06:40:25 EDT 2000


Here's how I'd like to use snort:
we have a private LAN (192.168) and I want to verify that there are no 
suspect activities on it. But a lot of suspect activity could come from a 
machine on the LAN. (some machines have a   public interface. So if an 
intruder cracks one of the machines with a public IP, he will try to go 
further on the private LAN and the suspect activity will come from HOME_NET)

My question is: I see a lot of rules that specify "from !HOME_NET". I suppose 
that if the suspect activity comes from a machine on my private lan, it won't 
be detected... Is it usefull to rewrite all rules so they match "from 
HOME_NET"? Where can I look for rules usefull for my specific needs?

Thanks from your advices!


             |  -�)                        (�-  |
             |  /\\     Linux for ever     //\  |
             | _\_v                        v_/_ |

   If windows is the answer, it must have been a stupid question.

More information about the Snort-users mailing list