[Snort-users] snort not ignoring traffic
roesch at ...1935...
Mon Jan 14 10:59:02 EST 2002
Tyler Owen wrote:
> I am having two problems with snort not ignoring traffic.
> My Config: I have two sensors running snort 1.8.3 logging to a central
> mysql database. They both have the same snort.conf and same rules.
> Where I am located on the network I see local traffice as well as
> external traffic. I am using DEMARC to view and manage the alerts and
> also to configure the sensors. I am also running snort with the -o
> option for my pass rule.
> Problem 1: I want to ignore all of the local traffic and only get
> "alerts" on external to local traffic. I have set HOME_NET
> [172.24.0.0/16,10.10.0.0/16] and EXTERNAL_NET !$HOME_NET (first of all
> is that OK?) but I still see the traffic. I have also tried setting
> EXTERNAL_NET !172.24.0.0/16 and I still see the traffic between local
Setting the EXTERNAL_NET like that is fine, but because you're using IP
lists the ! doesn't really apply in a commutative manner. Try
var EXTERNAL_NET [!172.24.0.0/16,!10.10.0.0/16]
> Problem 2: I set a variable to be the IPs of hosts that run
> vulnerability scans internally to ignore traffic from them. This works
> on one of the sensors but not the other?? The rule is:
> pass tcp $INFO_SEC_PCS any -> any any;
> Any ideas why this would work on one host but not the other?
Not really, unless the IP is wrong. You might try
pass ip $INFO_SEC_PCS any -> any any
and don't close it with a semicolon, it's not needed to terminate a
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users