[Snort-users] rules precision

Raphael Bauduin rb at ...573...
Wed Oct 11 09:37:55 EDT 2000


This is the second time I send this mail because it seems my first attempt 
didn't make it (our mail server had some problems.....)
Sorry if you alredy got it....

Here's how I'd like to use snort:
we have a private LAN (192.168) and I want to verify that there are no 
suspect activities on it. But a lot of suspect activity could come from a 
machine on the LAN. (some machines have a   public interface. So if an 
intruder cracks one of the machines with a public IP, he will try to go 
further on the private LAN and the suspect activity will come from HOME_NET)

My question is: I see a lot of rules that specify "from !HOME_NET". I suppose 
that if the suspect activity comes from a machine on my private lan, it won't 
be detected... Is it usefull to rewrite all rules so they match "from 
HOME_NET"? Where can I look for rules usefull for my specific needs?

Thanks from your advices!


             |  -�)                        (�-  |
             |  /\\     Linux for ever     //\  |
             | _\_v                        v_/_ |

   If windows is the answer, it must have been a stupid question.

More information about the Snort-users mailing list