[Snort-users] Exclude Source?

Darren Young darren at ...6023...
Sun Jun 9 11:38:02 EDT 2002

Is it possible to exclude based on the source IP address only? Problem: I
have a Linux (iptables) firewall connected to the Internet with a static IP
using masquerading. Many times internal connections going out will trigger
false alarms, especially portscans, and contain the external IP of my
firewall as the source IP. My snort sensor is sitting outside the firewall
connected to the hub that my dsl line and firewall connect to via a stealth
interface so it can see everything. Is it wise to simply say "don't bother
with any traffic that the source IP is the external interface" or should I
be more detailed? Perhaps just tell the portscan preprocessor this?

** Darren Young                                           **
** UNIX, Network & Security Consultant                    **
** YHL Solutions                                          **
** darren at ...6023...                                   **
** PGP: 6BAF 11AC D6D4 4F4F A94A C5AC 5926 5FC1 8A9F CC6D **

More information about the Snort-users mailing list