[Snort-users] suppresing events from private lan
mkettler at ...4108...
Thu Feb 17 15:19:29 EST 2005
At 05:56 PM 2/17/2005, hans wrote:
>thanks for answering again.
>i did change the config due to your recommendations.
>it seems, it is working as expected.
>but this means, if snort could see an attack from
>internet to my private lan ( it's really at home )
>it would also log this to file, or whatever defined.
Yes. In general, snort rules look for attacks from EXTERNAL_NET to HOME_NET.
However, one thing to be aware of is to keep in mind what it's possible for
snort to see.
Your 172.20.1.0/24 is a reserved non-routable IP range, implying you've got
a NAT somewhere.... If snort is sniffing your outside interface on a NAT
firewall, it's never going to see packets addressed there, and you should
leave that part out. If snort is also sniffing a post-nat interface, then
you want to include those IPs.
(Remember, outside of your private network, those addresses are not
routeable, thus your ISP will never forward packets addressed to
172.20.1.0/24 to your network. They don't even know you are using that
address space, nor do they care. They only care about the address you NAT
More information about the Snort-users