[Snort-users] How to exclude alerts from within my home network.

Italo Antonio imigotto at ...3348...
Fri Sep 14 11:13:02 EDT 2001

Thats because some rules are based on what your systems return to the
offender, for example:

info.rules:alert tcp any any -> any any (msg:"INFO id check returned
root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498;

that means someone rooted a box, but you cant get it by the packets that
the attacker sent, you need to examine what your systems returned.
Anyway, which are the attacks you're getting?


Peter Borner wrote:

> In my snort.conf file I have set HOME_NET to the IP address and mask of
> my internal LAN and then set EXTERNAL_NET to !$HOME_NET
> I was hoping this would avoid recording alerts from machines within my
> home network. However, I am still seeing numerous alerts from these
> machines being recorded in the database. Have I done something wrong?
> Thanks,
> Peter

More information about the Snort-users mailing list