[Snort-users] Excluding a single IP from HOME_NET

Cees celzinga at ...11827...
Fri May 30 10:59:41 EDT 2008


Didn't know about the "-o" flag, but that won't work after in my setup - I'm
interested in traffic to and from the proxy server.

> If however we want proxy to *not be part of external_net* then we can do
this:
> var EXTERNAL_NET !10.0.0.0/8

Thanks for testing. The proxy should be excluded from  HOME_NET, but
included in EXTERNAL_NET, so this won't work either..

Cees

On Fri, May 30, 2008 at 3:03 PM, Jeff Kell <jeff-kell at ...6282...> wrote:

> Cees wrote:
>
>> (BTW Jeff, a pass rule won't work since the IDS isn't placed inline.)
>>
>
> If you use the pass rule, and run snort with "-o" so pass rules come first,
> the net effect is that your excluded IP matches the pass rule and no further
> rules are evaluated on that packet.
>
> Doesn't matter if you're inline or not.
>
> Jeff
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080530/7025e9e8/attachment.html>


More information about the Snort-users mailing list