I am trying to setup a simple rule but it doesn't appear to be
working. We have has some issues with people plugging in their laptops
to our corp. network. Some of these folks have static addresses and
try to send some traffic outbound, while the traffic gets dropped at a
firewall I want to log and alert on any non Home_NET IP's trying to go
out. I thought it would be fairly easy just set home_net to something
like
var HOME_NET [172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] and var HOME_NET
[172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] then comment out other rules
in snort.conf except local.rule.
In local rule set it to something like
alert ip !HOME_NET any -> $EXTERNAL_NET any (msg:"nonwork routable IP
detected";)
I then start snort like
snort -e -i eth1 -l /u01/snort -s -D &
When I look at the log down /u01/snort it lists tons of IP's going
from an IP like 10.30 or 172.x.x.x going to some random IP. How do I
get my rules to only log the packets for non-Home_Net IP's trying to
talk to other non-Home_Net IP's?
Thanks,
Nick
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
