[Snort-users] snort not ignoring traffic

Martin Roesch roesch at ...1935...
Mon Jan 14 10:59:02 EST 2002


Tyler Owen wrote:
> 
> I am having two problems with snort not ignoring traffic.
> 
> My Config: I have two sensors running snort 1.8.3 logging to a central
> mysql database.  They both have the same snort.conf and same rules.
> Where I am located on the network I see local traffice as well as
> external traffic.  I am using DEMARC to view and manage the alerts and
> also to configure the sensors.  I am also running snort with the -o
> option for my pass rule.
> 
> Problem 1: I want to ignore all of the local traffic and only get
> "alerts" on external to local traffic.  I have set HOME_NET
> [172.24.0.0/16,10.10.0.0/16] and EXTERNAL_NET !$HOME_NET (first of all
> is that OK?) but I still see the traffic.  I have also tried setting
> EXTERNAL_NET !172.24.0.0/16 and I still see the traffic between local
> hosts.

Setting the EXTERNAL_NET like that is fine, but because you're using IP
lists the ! doesn't really apply in a commutative manner.  Try

var EXTERNAL_NET [!172.24.0.0/16,!10.10.0.0/16]

> Problem 2:  I set a variable to be the IPs of hosts that run
> vulnerability scans internally to ignore traffic from them.  This works
> on one of the sensors but not the other??  The rule is:
> 
> pass tcp $INFO_SEC_PCS any -> any any;
> 
> Any ideas why this would work on one host but not the other?

Not really, unless the IP is wrong.  You might try 

pass ip $INFO_SEC_PCS any -> any any

and don't close it with a semicolon, it's not needed to terminate a
rule-header-only rule.

    -Marty

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list