[Snort-users] Snort + BB: Ignore BB Activity

Warner Joseph Joseph.Warner at ...6725...
Tue Aug 27 15:04:02 EDT 2002


Yep, that worked!

I changed var EXTERNAL_NET to

var EXTERNAL_NET any 

..and now I'm getting some juicy stuff,
excluding the traffic from BB.

Thanks for your help!

Joe


-----Original Message-----
From: Warner Joseph 
Sent: Tuesday, August 27, 2002 3:20 PM
To: 'Tom Sevy'; 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] Snort + BB: Ignore BB Activity


Ok, I added the line.

..Let's see what happens.

Thanks for your quick response.



-----Original Message-----
From: Tom Sevy [mailto:tsevy at ...1701...]
Sent: Tuesday, August 27, 2002 3:09 PM
To: Warner Joseph; 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] Snort + BB: Ignore BB Activity


Look in your snort.conf file for  preprocessor portscan-ignorehosts and put
the ip of your bb host in there.


-----Original Message-----
From: Warner Joseph [mailto:Joseph.Warner at ...6725...]
Sent: Tuesday, August 27, 2002 4:25 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Snort + BB: Ignore BB Activity


Hi,

I'm running Snort 1.8.6 on FreeBSD 4.6-STABLE
with the Big Brother System and Network Monitor.

I have Snort logging to a MySQL database and I'm
using a script called ext-snort that displays the
Snort alerts on the BB display page.

Everything seems to work properly with the exception
of the BB server's activity showing up as spp_portscans
in my snort logs.  How do I get this to stop?
 
I saw in a previous email that someone recommended placing
the following line in the snort.conf file:
 
var EXTERNAL_NET !bb_server_ip
 
var EXTERNAL_NET [!ip_subnet.0/24]


I tried both, with and without the brackets and nothing seems to
work.
 
I've searched through the "snort-users" archives and haven't
found anything that helps.
 
Any help with this would be greatly appreciated.
 
Thanks!
 



----------------------------------------------------------------------------
---
This message and any included attachments are from Siemens Medical Solutions

Health Services Corporation and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding,
printing, 
copying, distributing, or using such information is strictly prohibited and
may 
be unlawful.  If you received this message in error, or have reason to
believe 
you are not authorized to receive it, please promptly delete this message
and 
notify the sender by e-mail with a copy to CSOffice at ...6726...  Thank you


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



----------------------------------------------------------------------------
---
This message and any included attachments are from Siemens Medical Solutions

Health Services Corporation and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding,
printing, 
copying, distributing, or using such information is strictly prohibited and
may 
be unlawful.  If you received this message in error, or have reason to
believe 
you are not authorized to receive it, please promptly delete this message
and 
notify the sender by e-mail with a copy to CSOffice at ...6726...  Thank you


-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------------
This message and any included attachments are from Siemens Medical Solutions 
Health Services Corporation and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to CSOffice at ...6726...  Thank you




More information about the Snort-users mailing list