[Snort-users] Exclude Source?

John Sage jsage at ...2022...
Sun Jun 9 15:13:02 EDT 2002


How do you have $HOME_NET set?

- John
Warning: time of day goes back, taking countermeasures.

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

On Sun, Jun 09, 2002 at 01:37:13PM -0500, Darren Young wrote:
> Is it possible to exclude based on the source IP address only? Problem: I
> have a Linux (iptables) firewall connected to the Internet with a static IP
> using masquerading. Many times internal connections going out will trigger
> false alarms, especially portscans, and contain the external IP of my
> firewall as the source IP. My snort sensor is sitting outside the firewall
> connected to the hub that my dsl line and firewall connect to via a stealth
> interface so it can see everything. Is it wise to simply say "don't bother
> with any traffic that the source IP is the external interface" or should I
> be more detailed? Perhaps just tell the portscan preprocessor this?
> ************************************************************
> ** Darren Young                                           **
> ** UNIX, Network & Security Consultant                    **
> ** YHL Solutions                                          **
> ** darren at ...6023...                                   **
> ** PGP: 6BAF 11AC D6D4 4F4F A94A C5AC 5926 5FC1 8A9F CC6D **
> ************************************************************

More information about the Snort-users mailing list