[Snort-users] suppresing events from private lan

hans rosa.schwein at ...12989...
Wed Feb 16 23:05:41 EST 2005

hi matt 

thanks for response.
i didn't set HOME_NET in the config-file, as i do start 
snort with -h option. 
so the following should work for: 

var HOME_NET $bge0_ADDRESS [] 

bge0 is the plumbed interface up and running
and bge2 is the if, where snort ist listening.
therefore i would start snort with -i bge2 and without -h 

best regards 


On Wed, Feb 16, 2005 at 05:42:51PM -0500, Matt Kettler wrote:
> At 04:22 PM 2/16/2005, hans wrote:
> >i want to suppress all events from my private lan,
> >which has ip-adr 172.20.x.y  ( rfc 1918 )
> >reading http://www.snort.org/docs/snort_manual/node13.html
> >i see gen_id and sig_id are required
> >are there wildcards ?
> Don't do it that way..  suppress is really intended to fix one or two 
> rules..
> Instead, set EXTERNAL_NET to be !$HOME_NET.. this will take care of the 
> majority of them.
> The few remaining rules you can use suppress, or you can take things to an 
> extreeme and use a bpf statement on the snort command line to prevent snort 
> from seeing the packets at all. (the bp filter format is the same one used 
> by the tcpdump command line)
> >question 2: what are AIM_SERVERS in my snort.config
> The list of AOL instant messenger servers for the AIM detection rules. 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list