[Snort-users] one IP

Matt Kettler mkettler at ...4108...
Wed Feb 4 08:52:10 EST 2004


At 07:49 AM 2/4/2004, Keming wrote:
>Hi,
>
>IŽm trying to monitor only one IP as destination of the subnet but
>
>snort.conf -> var HOME_NET 1.2.3.4/32
>and/or
>snort.conf -> var HOME_NET 1.2.3.4
>
>seems to obsevere and alert all in this subnet (as destinaton) ?

That should work, but it will only work for rules, and only rules that 
actualy reference the HOME_NET.

There's a few rules in the ruleset which use 'any' where they should use 
HOME_NET.

And the preprocessors are mostly unaffected by HOME_NET.. so any alerts 
spit out by the preprocessors won't be limited to HOME_NET. 





More information about the Snort-users mailing list