[Snort-users] Multiple IP address matching

Gregor Binder gbinder at ...462...
Thu Sep 21 03:11:15 EDT 2000

Kris Kennaway on Wed, Sep 20, 2000 at 06:23:26PM -0700:


> For my purposes, I have a number of machines which are part of a
> larger class B subnet (not contained within a smaller address block),
> and I want to be able to treat other machines on that class B as being
> external. I don't think there's any current way to do this, which
> means I either have to put up with snort traffic between my "internal"
> machines being logged as suspicious, or trust the entire class B and
> hope no-one else is poking at my machines.
> Does anyone have any suggestions?

if the untrusted machines are in the same switched segment, put one
interface of your sensor on the monitor port of this switch and use
"snort -i interface".

Make sure if your sensor can keep up with the amount of traffic on a
busy (I guess 100Mbit?) network without dropping packets.

Hope this helps,

  Gregor Binder.

Gregor Binder  <gbinder at ...462...>  http://www.sysfive.com/~gbinder/
sysfive.com GmbH             UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany       TEL +49-40-63647482
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 234 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000921/2082d409/attachment.sig>

More information about the Snort-users mailing list