[Snort-users] one IP
mkettler at ...4108...
Wed Feb 4 08:52:10 EST 2004
At 07:49 AM 2/4/2004, Keming wrote:
>Im trying to monitor only one IP as destination of the subnet but
>snort.conf -> var HOME_NET 188.8.131.52/32
>snort.conf -> var HOME_NET 184.108.40.206
>seems to obsevere and alert all in this subnet (as destinaton) ?
That should work, but it will only work for rules, and only rules that
actualy reference the HOME_NET.
There's a few rules in the ruleset which use 'any' where they should use
And the preprocessors are mostly unaffected by HOME_NET.. so any alerts
spit out by the preprocessors won't be limited to HOME_NET.
More information about the Snort-users