[Snort-users] suppresing events from private lan

Matt Kettler mkettler at ...4108...
Thu Feb 17 15:19:29 EST 2005

At 05:56 PM 2/17/2005, hans wrote:
>thanks for answering again.
>i did change the config due to your recommendations.
>it seems, it is working as expected.
>but this means, if snort could see an attack from
>internet to my private lan ( it's really at home )
>it would also log this to file, or whatever defined.

Yes. In general, snort rules look for attacks from EXTERNAL_NET to HOME_NET.

However, one thing to be aware of is to keep in mind what it's possible for 
snort to see.

Your is a reserved non-routable IP range, implying you've got 
a NAT somewhere.... If snort is sniffing your outside interface on a NAT 
firewall, it's never going to see packets addressed there, and you should 
leave that part out.  If snort is also sniffing a post-nat interface, then 
you want to include those IPs.

(Remember, outside of your private network, those addresses are not 
routeable, thus your ISP will never forward packets addressed to to your network. They don't even know you are using that 
address space, nor do they care. They only care about the address you NAT 

More information about the Snort-users mailing list