[Snort-users] How to exclude alerts from within my home network.

Italo Antonio imigotto at ...3348...
Fri Sep 14 11:13:02 EDT 2001


Thats because some rules are based on what your systems return to the
offender, for example:

info.rules:alert tcp any any -> any any (msg:"INFO id check returned
root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498;
rev:1;)

that means someone rooted a box, but you cant get it by the packets that
the attacker sent, you need to examine what your systems returned.
Anyway, which are the attacks you're getting?

Italo.

Peter Borner wrote:

> In my snort.conf file I have set HOME_NET to the IP address and mask of
> my internal LAN and then set EXTERNAL_NET to !$HOME_NET
>
> I was hoping this would avoid recording alerts from machines within my
> home network. However, I am still seeing numerous alerts from these
> machines being recorded in the database. Have I done something wrong?
>
> Thanks,
>
> Peter





More information about the Snort-users mailing list