[Snort-users] exclude home_net from external_net

pilsl at ...7275... pilsl at ...7275...
Thu Oct 24 06:09:15 EDT 2002


I'm quite new to snort.  I set the home_net to my internal-net and
external_net to any

Now I got myriads of alerts when internal clients connect to our squid
server. Of course this is not what I want (alerts are only userful on
external connects), so I took a close look at the corresponding rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy
attempt"; flags:S; classtype:attempted-recon; sid:618;
rev:2;)sid-msg.map:618 || SCAN Squid Proxy attempt


In that sense of course any connect from HOME_NET to HOME_NET will
raise an alert, cause home_net is a real subnet of EXTERNAL_NET.

So I think it would be wide to define EXTERNAL_NET as "ANY but not
HOME_NET".

Is there any reason why I dont want to do this ?  If not: how could I
do this ? In the docs I found only way to specify include-changes but
no ways to specify exclude-ranges.


Of course I could remove the whole rule on the sensor for the internal
interface, but I'd like to keep both rulesets consistent for easier
maintainance.

best,
peter




-- 
mag. peter pilsl
IT-Consulting
tel: +43-699-1-3574035
fax: +43-699-4-3574035
pilsl at ...7275...




More information about the Snort-users mailing list