[Snort-users] snort not ignoring traffic

Tyler Owen t.l.owen at ...4552...
Mon Jan 14 09:46:07 EST 2002


I am having two problems with snort not ignoring traffic.  

My Config: I have two sensors running snort 1.8.3 logging to a central
mysql database.  They both have the same snort.conf and same rules. 
Where I am located on the network I see local traffice as well as
external traffic.  I am using DEMARC to view and manage the alerts and
also to configure the sensors.  I am also running snort with the -o
option for my pass rule.

Problem 1: I want to ignore all of the local traffic and only get
"alerts" on external to local traffic.  I have set HOME_NET
[172.24.0.0/16,10.10.0.0/16] and EXTERNAL_NET !$HOME_NET (first of all
is that OK?) but I still see the traffic.  I have also tried setting
EXTERNAL_NET !172.24.0.0/16 and I still see the traffic between local
hosts.

Problem 2:  I set a variable to be the IPs of hosts that run
vulnerability scans internally to ignore traffic from them.  This works
on one of the sensors but not the other??  The rule is: 

pass tcp $INFO_SEC_PCS any -> any any;

Any ideas why this would work on one host but not the other?


Thanks for you time!

Tyler





More information about the Snort-users mailing list