Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Remove Home_NET from EXTERNAL_NET any

From: DThomaz () flowserve com
Date: Wed, 3 Jul 2002 11:28:45 -0600

How about removing  and address from the rule.

alert icmp $EXTERNAL_NET!172.20.11.3 any -> $HOME_NET any (msg:"MISC Large
ICMP Packet"; dsize: >800; reference:arachnids,246; classtype:bad-unknown;
sid:499; rev:1;)

I do not want to see alerts from 172.20.11.3, should I edit at the rule or
at the snort.conf?
When I remove from the rule I get this error running snort

Jul  3 11:16:40 ormnm9 snort: FATAL ERROR: ERROR /etc/snort//misc.rules (7)
=> Rule netmask (16!172.20.11.3/30) didn't x-late, WTF?

Thanks,

David




                                                                                                   
                    Erek Adams                                                                     
                    <erek@theadamsf       To:     David Thomaz/North America/Flowserve@Flowserve   
                    amily.net>            cc:     Snort-users () lists sourceforge net                
                                          Subject:     Re: [Snort-users] Remove Home_NET from      
                    07/02/2002             EXTERNAL_NET any                                        
                    03:12 PM                                                                       
                                                                                                   
                                                                                                   



On Tue, 2 Jul 2002 DThomaz () flowserve com wrote:


My logs are getting  home_net users as external_net.
How do I make a statement on snort.conf that will not apply internal

users

as external.

Here is my variables:

var HOME_NET 172.16.0.0/12

var EXTERNAL_NET any !$HOME_NET


Change that to:

     var EXTERNAL_NET !$HOME_NET

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: