[Snort-users] suppresing events from private lan

hans rosa.schwein at ...12989...
Fri Feb 18 00:18:50 EST 2005


hi matt 

of course, i know.  a packet from in with destination 172.20.x.y
can never reach me, therefore i sayd ".. if snort could see .."
as there is no nat-rule in my fw.

my question was in direction, do i understand snort correctly
and you did commit. 

best regards 
hans 

-- 


On Thu, Feb 17, 2005 at 06:18:05PM -0500, Matt Kettler wrote:
> At 05:56 PM 2/17/2005, hans wrote:
> >thanks for answering again.
> >i did change the config due to your recommendations.
> >it seems, it is working as expected.
> >
> >but this means, if snort could see an attack from
> >internet to my private lan ( it's really at home )
> >it would also log this to file, or whatever defined.
> 
> Yes. In general, snort rules look for attacks from EXTERNAL_NET to HOME_NET.
> 
> 
> However, one thing to be aware of is to keep in mind what it's possible for 
> snort to see.
> 
> Your 172.20.1.0/24 is a reserved non-routable IP range, implying you've got 
> a NAT somewhere.... If snort is sniffing your outside interface on a NAT 
> firewall, it's never going to see packets addressed there, and you should 
> leave that part out.  If snort is also sniffing a post-nat interface, then 
> you want to include those IPs.
> 
> (Remember, outside of your private network, those addresses are not 
> routeable, thus your ISP will never forward packets addressed to 
> 172.20.1.0/24 to your network. They don't even know you are using that 
> address space, nor do they care. They only care about the address you NAT 
> against.)
> 
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list