[Snort-users] suppresing events from private lan
rosa.schwein at ...12989...
Thu Feb 17 14:57:12 EST 2005
thanks for answering again.
i did change the config due to your recommendations.
it seems, it is working as expected.
but this means, if snort could see an attack from
internet to my private lan ( it's really at home )
it would also log this to file, or whatever defined.
On Thu, Feb 17, 2005 at 01:50:45PM -0500, Matt Kettler wrote:
> At 02:05 AM 2/17/2005, hans wrote:
> >i didn't set HOME_NET in the config-file, as i do start
> >snort with -h option.
> Those are NOT the same thing.
> -h has nothing to do with var HOME_NET, despite the blatantly confusing
> naming chosen (bad naming conventions are a common curse amongst
> programmers, snort's devels are no different.).
> -h has to do with which side snort's text-mode alert output will present as
> the source of attack once an alert is detected. Thus, it changes the format
> of alerts, but does not impact wether an alert will be generated or not.
> HOME_NET has to do with what targets will be monitored for attack in the
> rules. It doesn't change the output format, but does impact wether an alert
> will be generated or not.
> Two totally different aspects of snort are involved, but in theory both
> should be set to the same thing... hence the common, and often confusing,
> >so the following should work for:
> >var HOME_NET $bge0_ADDRESS [172.20.1.0/24]
> Hmm.. that won't work, when doing multiple ranges you need to have them all
> enclosed inside the brackets and separated by commas. I've never tried
> mixing interface and static addresses, but if it's supported, this would be
> the correct syntax:
> var HOME_NET [$bge0_ADDRESS, 172.20.1.0/24]
> >var EXTERNAL_NET !$HOME_NET
More information about the Snort-users