Home page logo

snort logo Snort mailing list archives

Re: Network Variables
From: "Seth Dunn" <seth () d2ms com>
Date: Tue, 30 Apr 2013 11:04:21 -0400

Ok, I think I got it corrected.
I altered my EXTERNEL_NET variable to ::  [!,!]
That seems to have stopped the false-positives, while still logging
other traffic.
So I am assuming there is a default "any" aspect to this variable.


From: Seth Dunn [mailto:seth () d2ms com] 
Sent: Monday, April 29, 2013 10:23 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Network Variables


I am running Snort on Windows 2008 Server R2

I am trying to figure out how I can bypass traffic that is being sent
from certain networks, since it is creating false-positives

Information on my setup.
My watched networks are:: 10.75.x.x/24 and 10.76.x.x/24
Now I also have two other networks, that are not being watched, but are
part of my companies network and setup.
They are:: 10.10.x.x/24 <- Office network
10.30.x.x/24 <- Remote VPN users

Originally I tried putting in a .bpf file, but that did not work.
(anyone know how to make it work?)

So I tried my HOME_NET like this::
That didn't work, snort still sent out alerts for the two networks.
So I put HOME_NET back to ::  [,]
And set EXTERNAL_NET to this::  [any, !,!], that
did not work
So I tried::  [any, [!,]], that did not work


Any ideas on what I can do to fix this?

My networks 10.75.x.x and 10.76.x.x are connected to the networks
10.10.x.x and 10.30.x.x via two Cisco PIX 515E's



Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]