[Snort-users] suppresing events from private lan
rosa.schwein at ...12989...
Fri Feb 18 00:18:50 EST 2005
of course, i know. a packet from in with destination 172.20.x.y
can never reach me, therefore i sayd ".. if snort could see .."
as there is no nat-rule in my fw.
my question was in direction, do i understand snort correctly
and you did commit.
On Thu, Feb 17, 2005 at 06:18:05PM -0500, Matt Kettler wrote:
> At 05:56 PM 2/17/2005, hans wrote:
> >thanks for answering again.
> >i did change the config due to your recommendations.
> >it seems, it is working as expected.
> >but this means, if snort could see an attack from
> >internet to my private lan ( it's really at home )
> >it would also log this to file, or whatever defined.
> Yes. In general, snort rules look for attacks from EXTERNAL_NET to HOME_NET.
> However, one thing to be aware of is to keep in mind what it's possible for
> snort to see.
> Your 172.20.1.0/24 is a reserved non-routable IP range, implying you've got
> a NAT somewhere.... If snort is sniffing your outside interface on a NAT
> firewall, it's never going to see packets addressed there, and you should
> leave that part out. If snort is also sniffing a post-nat interface, then
> you want to include those IPs.
> (Remember, outside of your private network, those addresses are not
> routeable, thus your ISP will never forward packets addressed to
> 172.20.1.0/24 to your network. They don't even know you are using that
> address space, nor do they care. They only care about the address you NAT
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users