[Snort-users] exclude home_net from external_net

Alberto Gonzalez ag-snort at ...7149...
Thu Oct 24 06:57:07 EDT 2002


var EXTERNAL_NET !$HOME_NET

pilsl at ...7275... wrote:

>I'm quite new to snort.  I set the home_net to my internal-net and
>external_net to any
>
>Now I got myriads of alerts when internal clients connect to our squid
>server. Of course this is not what I want (alerts are only userful on
>external connects), so I took a close look at the corresponding rule:
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy
>attempt"; flags:S; classtype:attempted-recon; sid:618;
>rev:2;)sid-msg.map:618 || SCAN Squid Proxy attempt
>
>
>In that sense of course any connect from HOME_NET to HOME_NET will
>raise an alert, cause home_net is a real subnet of EXTERNAL_NET.
>
>So I think it would be wide to define EXTERNAL_NET as "ANY but not
>HOME_NET".
>
>Is there any reason why I dont want to do this ?  If not: how could I
>do this ? In the docs I found only way to specify include-changes but
>no ways to specify exclude-ranges.
>
>
>Of course I could remove the whole rule on the sensor for the internal
>interface, but I'd like to keep both rulesets consistent for easier
>maintainance.
>
>best,
>peter
>
>
>
>
>  
>

-- 
The secret to success is to start from scratch and keep on scratching.






More information about the Snort-users mailing list