[Snort-users] Excluding $HOME_NET -> $HOME_NET Alerts

Michael Boman michael.boman at ...4162...
Sun May 19 19:23:02 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 20 May 2002 10:00, Ed Kasky wrote:
> Is there a way to disable certain alerts from any home_net host to another
> home_net host?  I back up my web server over the wire to a tape machine and
> get flooded with "Shellcode X86 Noop" alerts whenever I run it.  I also get
> a lot of "WEB-MISC long basic authorization string" alerts using acid to
> view alerts in a mysql database.
>
> I was under the impression that "alert ip $EXTERNAL_NET any -> $HOME_NET"
> took care of this.
>
>  From my snort.conf:
> var HOME_NET 10.0.0.0/24

And I bet you have:

var EXTERNAL_NET any

that matches any address, including those in HOME_NET. why not set 
EXTERNAL_NET to !$HOME_NET (everything BUT HOME_NET). This would how ever 
limit the ability to catch insiders....

Best regards
 Michael Boman

- -- 
Michael Boman
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
http://www.securecirt.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE86F1dds5fQJiraJwRAo5OAJ4nRN3j/KOUFVlqaWd0XnKr45UY1gCfRAr7
MPLg0Ianb5bBCBE5R0piorc=
=47RP
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list