[Snort-users] Excluding $HOME_NET -> $HOME_NET Alerts

Ed Kasky ed at ...3483...
Sun May 19 19:42:03 EDT 2002


At 10:20 AM Monday, 5/20/2002, Michael Boman wrote -=>
>On Monday 20 May 2002 10:00, Ed Kasky wrote:
> > Is there a way to disable certain alerts from any home_net host to another
> > home_net host?  I back up my web server over the wire to a tape machine and
> > get flooded with "Shellcode X86 Noop" alerts whenever I run it.  I also get
> > a lot of "WEB-MISC long basic authorization string" alerts using acid to
> > view alerts in a mysql database.
> >
> > I was under the impression that "alert ip $EXTERNAL_NET any -> $HOME_NET"
> > took care of this.
> >
> >  From my snort.conf:
> > var HOME_NET 10.0.0.0/24
>
>And I bet you have:
>
>var EXTERNAL_NET any

Good guess...

>that matches any address, including those in HOME_NET. why not set
>EXTERNAL_NET to !$HOME_NET (everything BUT HOME_NET). This would how ever
>limit the ability to catch insiders....

I see what you mean if I change it in snort.conf.

Will this work in an individual rule:
"alert ip $EXTERNAL_NET !$HOME_NET -> $HOME_NET"

Or can I even make it more specific to exclude the one ip address that is 
causing the specific alert when backing up?
"alert ip $EXTERNAL_NET !10.0.0.3 -> $HOME_NET"


Ed Kasky
Los Angeles, CA
. . . . . . . .
~ The only thing infinite is our capacity for self-deception. ~





More information about the Snort-users mailing list