[Snort-users] Netbios rules and keeping snort quiet about them ;)

James Nonya slave_tothe_box at ...131...
Fri Apr 25 06:39:18 EDT 2003


Good Morning all!

Here's my setup:  I have two routers one in each
building.  Building A is 10.1.0.0/24 and building B is
10.2.0.0/24.  My internal/external net settings in
snort.conf are:

var EXTERNAL_NET [!10.1.0.0/16,!10.2.0.0/15,ANY]

I have TRIED to set my NT NULL session alert to:

alert tcp [!10.1.0.0/16,!10.2.0.0/16] any -> $HOME_NET
139

I will STILL get hits on this...I'm not sure how to
tell snort to ignore the rule if it's source is 10
based.  Anyone have this same issue?  Thanks!

James

__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com




More information about the Snort-users mailing list