[Snort-users] Remove Home_NET from EXTERNAL_NET any

DThomaz at ...6151... DThomaz at ...6151...
Wed Jul 3 10:29:11 EDT 2002


How about removing  and address from the rule.

alert icmp $EXTERNAL_NET!172.20.11.3 any -> $HOME_NET any (msg:"MISC Large
ICMP Packet"; dsize: >800; reference:arachnids,246; classtype:bad-unknown;
sid:499; rev:1;)

I do not want to see alerts from 172.20.11.3, should I edit at the rule or
at the snort.conf?
When I remove from the rule I get this error running snort

Jul  3 11:16:40 ormnm9 snort: FATAL ERROR: ERROR /etc/snort//misc.rules (7)
=> Rule netmask (16!172.20.11.3/30) didn't x-late, WTF?

Thanks,

David




                                                                                                   
                    Erek Adams                                                                     
                    <erek at ...6239...       To:     David Thomaz/North America/Flowserve at ...6240...   
                    amily.net>            cc:     Snort-users at lists.sourceforge.net                
                                          Subject:     Re: [Snort-users] Remove Home_NET from      
                    07/02/2002             EXTERNAL_NET any                                        
                    03:12 PM                                                                       
                                                                                                   
                                                                                                   



On Tue, 2 Jul 2002 DThomaz at ...6151... wrote:

> My logs are getting  home_net users as external_net.
> How do I make a statement on snort.conf that will not apply internal
users
> as external.
>
> Here is my variables:
>
> var HOME_NET 172.16.0.0/12
>
> var EXTERNAL_NET any !$HOME_NET

Change that to:

     var EXTERNAL_NET !$HOME_NET

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net







More information about the Snort-users mailing list