[Snort-users] suppresing events from private lan
rosa.schwein at ...12989...
Wed Feb 16 23:05:41 EST 2005
thanks for response.
i didn't set HOME_NET in the config-file, as i do start
snort with -h option.
so the following should work for:
var HOME_NET $bge0_ADDRESS [172.20.1.0/24]
var EXTERNAL_NET !$HOME_NET
bge0 is the plumbed interface up and running
and bge2 is the if, where snort ist listening.
therefore i would start snort with -i bge2 and without -h
On Wed, Feb 16, 2005 at 05:42:51PM -0500, Matt Kettler wrote:
> At 04:22 PM 2/16/2005, hans wrote:
> >i want to suppress all events from my private lan,
> >which has ip-adr 172.20.x.y ( rfc 1918 )
> >reading http://www.snort.org/docs/snort_manual/node13.html
> >i see gen_id and sig_id are required
> >are there wildcards ?
> Don't do it that way.. suppress is really intended to fix one or two
> Instead, set EXTERNAL_NET to be !$HOME_NET.. this will take care of the
> majority of them.
> The few remaining rules you can use suppress, or you can take things to an
> extreeme and use a bpf statement on the snort command line to prevent snort
> from seeing the packets at all. (the bp filter format is the same one used
> by the tcpdump command line)
> >question 2: what are AIM_SERVERS in my snort.config
> The list of AOL instant messenger servers for the AIM detection rules.
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users