[Snort-users] rules precision

Steve Halligan agent33 at ...187...
Wed Oct 11 11:40:26 EDT 2000


the "any" rulesets available at
http://www.snort.org/Files/09262kany.rules
no HOME_NET or !HOME_NET....just any any any.


> -----Original Message-----
> From: Raphael Bauduin [mailto:rb at ...573...]
> Sent: Wednesday, October 11, 2000 5:40 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] rules precision
> 
> 
> Hi!
> 
> Here's how I'd like to use snort:
> we have a private LAN (192.168) and I want to verify that 
> there are no 
> suspect activities on it. But a lot of suspect activity could 
> come from a 
> machine on the LAN. (some machines have a   public interface. 
> So if an 
> intruder cracks one of the machines with a public IP, he will 
> try to go 
> further on the private LAN and the suspect activity will come 
> from HOME_NET)
> 
> My question is: I see a lot of rules that specify "from 
> !HOME_NET". I suppose 
> that if the suspect activity comes from a machine on my 
> private lan, it won't 
> be detected... Is it usefull to rewrite all rules so they match "from 
> HOME_NET"? Where can I look for rules usefull for my specific needs?
> 
> Thanks from your advices!
> 
> Raph
> 
> -- 
> -- 
>               ---------------------------------- 
>              |  -°)                        (°-  |
>              |  /\\     Linux for ever     //\  |
>              | _\_v                        v_/_ |
>               ---------------------------------- 
> 
>    If windows is the answer, it must have been a stupid question.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001011/1451131f/attachment.html>


More information about the Snort-users mailing list