[Snort-users] Snort Filtering

Neil Dickey neil at ...1633...
Tue Apr 29 15:37:07 EDT 2003


Michale <michale at ...9068...> wrote:

>I did (and am again) using the newest RULES downloaded from snort.org.

OK, that helps me to know what your doing.

>So, maybe the approach I am looking is to have it use THAT ruleset,
>but then put in domains and IPs that I want it to log activity from...
>
>Is that a similiar procedure to the one of NOT logging specified
>domains and IPs??

Filtering can be done by inclusion or exclusion.  You have to decide
which method will work best for you, doubtless based at least in part
on how big the domain you're interested in is compared with the rest
of the world.

If you *only* want to look at traffic between a specific domain and
your home box, say, defining these variables in snort.conf should get
you what you want:

  var HOME_NET ip.of.your.box
  var EXTERNAL_NET [ip.of.other.domain/16,ip.of.another.box,yet.another.ip.0/24]

With this setup, most of the existing rules would then alert only on
traffic between EXTERNAL_NET and HOME_NET.  Obviously, only those rules
which use EXTERNAL_NET and H0ME_NET would be affected.

NOT logging specified domains means using something like the default
values ...

  var HOME_NET ip.of.your.box
  var EXTERNAL_NET !$HOME_NET

... and then writing pass rules to avoid alerting on traffic you're not
interested in.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




More information about the Snort-users mailing list