[Snort-users] suppresing events from private lan

Matt Kettler mkettler at ...4108...
Thu Feb 17 10:51:29 EST 2005


At 02:05 AM 2/17/2005, hans wrote:
>i didn't set HOME_NET in the config-file, as i do start
>snort with -h option.

Those are NOT the same thing.

-h has nothing to do with var HOME_NET, despite the blatantly confusing 
naming chosen (bad naming conventions are a common curse amongst 
programmers, snort's devels are no different.).

-h has to do with which side snort's text-mode alert output will present as 
the source of attack once an alert is detected. Thus, it changes the format 
of alerts, but does not impact wether an alert will be generated or not.

HOME_NET has to do with what targets will be monitored for attack in the 
rules. It doesn't change the output format, but does impact wether an alert 
will be generated or not.

Two totally different aspects of snort are involved, but in theory both 
should be set to the same thing... hence the common, and often confusing, 
name...


>so the following should work for:
>
>var HOME_NET $bge0_ADDRESS [172.20.1.0/24]

Hmm.. that won't work, when doing multiple ranges you need to have them all 
enclosed inside the brackets and separated by commas. I've never tried 
mixing interface and static addresses, but if it's supported, this would be 
the correct syntax:

var HOME_NET [$bge0_ADDRESS, 172.20.1.0/24]


>var EXTERNAL_NET !$HOME_NET





More information about the Snort-users mailing list