[Snort-users] suppresing events from private lan

hans rosa.schwein at ...12989...
Thu Feb 17 14:57:12 EST 2005


hi matt

thanks for answering again. 
i did change the config due to your recommendations. 
it seems, it is working as expected. 

but this means, if snort could see an attack from
internet to my private lan ( it's really at home ) 
it would also log this to file, or whatever defined.

best regards 
hans 

-- 


On Thu, Feb 17, 2005 at 01:50:45PM -0500, Matt Kettler wrote:
> At 02:05 AM 2/17/2005, hans wrote:
> >i didn't set HOME_NET in the config-file, as i do start
> >snort with -h option.
> 
> Those are NOT the same thing.
> 
> -h has nothing to do with var HOME_NET, despite the blatantly confusing 
> naming chosen (bad naming conventions are a common curse amongst 
> programmers, snort's devels are no different.).
> 
> -h has to do with which side snort's text-mode alert output will present as 
> the source of attack once an alert is detected. Thus, it changes the format 
> of alerts, but does not impact wether an alert will be generated or not.
> 
> HOME_NET has to do with what targets will be monitored for attack in the 
> rules. It doesn't change the output format, but does impact wether an alert 
> will be generated or not.
> 
> Two totally different aspects of snort are involved, but in theory both 
> should be set to the same thing... hence the common, and often confusing, 
> name...
> 
> 
> >so the following should work for:
> >
> >var HOME_NET $bge0_ADDRESS [172.20.1.0/24]
> 
> Hmm.. that won't work, when doing multiple ranges you need to have them all 
> enclosed inside the brackets and separated by commas. I've never tried 
> mixing interface and static addresses, but if it's supported, this would be 
> the correct syntax:
> 
> var HOME_NET [$bge0_ADDRESS, 172.20.1.0/24]
> 
> 
> >var EXTERNAL_NET !$HOME_NET
> 




More information about the Snort-users mailing list