[Snort-users] suppresing events from private lan

Matt Kettler mkettler at ...4108...
Thu Feb 17 15:19:29 EST 2005


At 05:56 PM 2/17/2005, hans wrote:
>thanks for answering again.
>i did change the config due to your recommendations.
>it seems, it is working as expected.
>
>but this means, if snort could see an attack from
>internet to my private lan ( it's really at home )
>it would also log this to file, or whatever defined.

Yes. In general, snort rules look for attacks from EXTERNAL_NET to HOME_NET.


However, one thing to be aware of is to keep in mind what it's possible for 
snort to see.

Your 172.20.1.0/24 is a reserved non-routable IP range, implying you've got 
a NAT somewhere.... If snort is sniffing your outside interface on a NAT 
firewall, it's never going to see packets addressed there, and you should 
leave that part out.  If snort is also sniffing a post-nat interface, then 
you want to include those IPs.

(Remember, outside of your private network, those addresses are not 
routeable, thus your ISP will never forward packets addressed to 
172.20.1.0/24 to your network. They don't even know you are using that 
address space, nor do they care. They only care about the address you NAT 
against.)






More information about the Snort-users mailing list