[Snort-users] Excluding $HOME_NET -> $HOME_NET Alerts
ed at ...3483...
Sun May 19 19:42:03 EDT 2002
At 10:20 AM Monday, 5/20/2002, Michael Boman wrote -=>
>On Monday 20 May 2002 10:00, Ed Kasky wrote:
> > Is there a way to disable certain alerts from any home_net host to another
> > home_net host? I back up my web server over the wire to a tape machine and
> > get flooded with "Shellcode X86 Noop" alerts whenever I run it. I also get
> > a lot of "WEB-MISC long basic authorization string" alerts using acid to
> > view alerts in a mysql database.
> > I was under the impression that "alert ip $EXTERNAL_NET any -> $HOME_NET"
> > took care of this.
> > From my snort.conf:
> > var HOME_NET 10.0.0.0/24
>And I bet you have:
>var EXTERNAL_NET any
>that matches any address, including those in HOME_NET. why not set
>EXTERNAL_NET to !$HOME_NET (everything BUT HOME_NET). This would how ever
>limit the ability to catch insiders....
I see what you mean if I change it in snort.conf.
Will this work in an individual rule:
"alert ip $EXTERNAL_NET !$HOME_NET -> $HOME_NET"
Or can I even make it more specific to exclude the one ip address that is
causing the specific alert when backing up?
"alert ip $EXTERNAL_NET !10.0.0.3 -> $HOME_NET"
Los Angeles, CA
. . . . . . . .
~ The only thing infinite is our capacity for self-deception. ~
More information about the Snort-users