[Snort-users] Excluding $HOME_NET -> $HOME_NET Alerts
michael.boman at ...4162...
Sun May 19 19:23:02 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Monday 20 May 2002 10:00, Ed Kasky wrote:
> Is there a way to disable certain alerts from any home_net host to another
> home_net host? I back up my web server over the wire to a tape machine and
> get flooded with "Shellcode X86 Noop" alerts whenever I run it. I also get
> a lot of "WEB-MISC long basic authorization string" alerts using acid to
> view alerts in a mysql database.
> I was under the impression that "alert ip $EXTERNAL_NET any -> $HOME_NET"
> took care of this.
> From my snort.conf:
> var HOME_NET 10.0.0.0/24
And I bet you have:
var EXTERNAL_NET any
that matches any address, including those in HOME_NET. why not set
EXTERNAL_NET to !$HOME_NET (everything BUT HOME_NET). This would how ever
limit the ability to catch insiders....
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-users