[Snort-users] Snort Rules

A.L.Lambert max at ...1806...
Wed Apr 11 19:08:56 EDT 2001


> I need to make Snort Not track stuff from 4 class C's
> 
> how do you do this?
> 
> I tried setting Homenet to the Networks
> [192.68.3.0/24,192.168.6.0/24,192.168.22.0/24,192.168.67.0/24] But I
> still get Tons on Tons of Tons of chatter between boxes on those
> networks
> 
> I want it to track only things not from those Networks.

	Depends on what you mean by only things not from those
networks.  If you mean you want those networks to become 'invisible' to
snort, try using a BPF filter like this:

not net 192.68.3.0/24 and not net 192.168.6.0/24 and ...

	If you mean you don't want those inter-network chatter to be
picked up, but you still want to know what goes on between those networks
and the outside world, you might want to write snort pass rules (remember
to start snort with "-o" to make pass rules evaluate as expected), with
each possibility of the networks that you want to be able to talk without
being seen by snort.

	And a final piece of advice, the rules that are setting off the
alert's on inter-network chatter, are likely generating way too many false
alerts to be of any use to you anyway; I myself would rather comment out
some rules I know to watch for relatively harmless traffic but set off a
lot of false alerts, rather than make entire subnets invisible to snort.
:)

	Cheers!

-- A.L.Lambert
------------------------------------------------------------------------
The problems that exist in the world today cannot be solved by the level
of thinking that created them...
	-Einstein
------------------------------------------------------------------------





More information about the Snort-users mailing list