[Snort-users] one IP

Matt Kettler mkettler at ...4108...
Wed Feb 4 08:52:10 EST 2004

At 07:49 AM 2/4/2004, Keming wrote:
>IŽm trying to monitor only one IP as destination of the subnet but
>snort.conf -> var HOME_NET
>snort.conf -> var HOME_NET
>seems to obsevere and alert all in this subnet (as destinaton) ?

That should work, but it will only work for rules, and only rules that 
actualy reference the HOME_NET.

There's a few rules in the ruleset which use 'any' where they should use 

And the preprocessors are mostly unaffected by HOME_NET.. so any alerts 
spit out by the preprocessors won't be limited to HOME_NET. 

More information about the Snort-users mailing list