[Snort-users] Excluding a single IP from HOME_NET
celzinga at ...11827...
Fri May 30 10:59:41 EDT 2008
Didn't know about the "-o" flag, but that won't work after in my setup - I'm
interested in traffic to and from the proxy server.
> If however we want proxy to *not be part of external_net* then we can do
> var EXTERNAL_NET !10.0.0.0/8
Thanks for testing. The proxy should be excluded from HOME_NET, but
included in EXTERNAL_NET, so this won't work either..
On Fri, May 30, 2008 at 3:03 PM, Jeff Kell <jeff-kell at ...6282...> wrote:
> Cees wrote:
>> (BTW Jeff, a pass rule won't work since the IDS isn't placed inline.)
> If you use the pass rule, and run snort with "-o" so pass rules come first,
> the net effect is that your excluded IP matches the pass rule and no further
> rules are evaluated on that packet.
> Doesn't matter if you're inline or not.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users