|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alberto Gonzalez (ag-snort_at_cerebro.violating.us)
Date: Thu Oct 24 2002 - 11:56:59 CDT
var EXTERNAL_NET !$HOME_NET
pilsl
goldfisch.at wrote:
>I'm quite new to snort. I set the home_net to my internal-net and
>external_net to any
>
>Now I got myriads of alerts when internal clients connect to our squid
>server. Of course this is not what I want (alerts are only userful on
>external connects), so I took a close look at the corresponding rule:
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy
>attempt"; flags:S; classtype:attempted-recon; sid:618;
>rev:2;)sid-msg.map:618 || SCAN Squid Proxy attempt
>
>
>In that sense of course any connect from HOME_NET to HOME_NET will
>raise an alert, cause home_net is a real subnet of EXTERNAL_NET.
>
>So I think it would be wide to define EXTERNAL_NET as "ANY but not
>HOME_NET".
>
>Is there any reason why I dont want to do this ? If not: how could I
>do this ? In the docs I found only way to specify include-changes but
>no ways to specify exclude-ranges.
>
>
>Of course I could remove the whole rule on the sensor for the internal
>interface, but I'd like to keep both rulesets consistent for easier
>maintainance.
>
>best,
>peter
>
>
>
>
>
>
-- The secret to success is to start from scratch and keep on scratching.------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote _______________________________________________ Snort-users mailing list Snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]