[Snort-users] suppresing events from private lan
mkettler at ...4108...
Thu Feb 17 10:51:29 EST 2005
At 02:05 AM 2/17/2005, hans wrote:
>i didn't set HOME_NET in the config-file, as i do start
>snort with -h option.
Those are NOT the same thing.
-h has nothing to do with var HOME_NET, despite the blatantly confusing
naming chosen (bad naming conventions are a common curse amongst
programmers, snort's devels are no different.).
-h has to do with which side snort's text-mode alert output will present as
the source of attack once an alert is detected. Thus, it changes the format
of alerts, but does not impact wether an alert will be generated or not.
HOME_NET has to do with what targets will be monitored for attack in the
rules. It doesn't change the output format, but does impact wether an alert
will be generated or not.
Two totally different aspects of snort are involved, but in theory both
should be set to the same thing... hence the common, and often confusing,
>so the following should work for:
>var HOME_NET $bge0_ADDRESS [172.20.1.0/24]
Hmm.. that won't work, when doing multiple ranges you need to have them all
enclosed inside the brackets and separated by commas. I've never tried
mixing interface and static addresses, but if it's supported, this would be
the correct syntax:
var HOME_NET [$bge0_ADDRESS, 172.20.1.0/24]
>var EXTERNAL_NET !$HOME_NET
More information about the Snort-users