I'm not sure if I understand your question correctly, but in the
snort.conf file, you should set $HOME_NET to 192.168.1.0/24 and
EXTERNAL_NET to !$HOME_NET. I wouldn't recommend ignoring local traffic
as Snort can do wonders for detecting malware trying to connect out from
the host/host network. If you still get a lot of false positives, try
and tweak the rules or create your own in order to get your desired results.
Jonathan Askew JBASKEW wrote:
I am new to IDS and have just set up snort on a ubuntu host. It has worked
well except for the fact that I am getting some false positivies from local
traffic on the network. I have been trying to find the solution on snort's
forums but the site seems to be going up and down randomly. I want to set a
rule in order to suppress/ignore local network traffic for 192.168.1.0/24.
I know this can be done in the /etc/threshold.conf file but have not been
able to do so successfully. Can someone be so kind as to post their
threshold.conf file or guide me through the process?
Thanks,
Blake
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
__________ NOD32 2724 (20071214) Information __________
This message was checked by NOD32 antivirus system.
http://www.eset.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
