[Snort-users] Exclude IP addresses for all rules

Jens Krabbenhoeft tschenz-snort-users at ...7018...
Mon Dec 16 00:12:03 EST 2002


Hi,

> I want to exclude IP addresses in my home net from being watched at
> all.

As you write 'being watched at all' the best thing to do is to ignore
the IPs via BPF. Have a look at Erek Adams post:

http://marc.theaimsgroup.com/?l=snort-users&m=102347618314311&w=2

Try starting snort with "snort -options.... not host 192.168.1.1 and not
host 192.168.1.2".

> var HOME_NET [!$EXCLUDE,192.168.1.0/24]

The problem is, that you have an ORed list in HOME_NET. !192.168.1.1 OR
192.168.1.0/24 matches on all IPs in 192.168.1.0/24.

Have a look at my last week's post at
http://marc.theaimsgroup.com/?l=snort-users&m=103942066423750&w=2

HTH,
	Jens




More information about the Snort-users mailing list