Re: Snort Network Suppression

---

• From: "Boogie B." <boogiebruva@xxxxxxxxxxx>
• Date: Fri, 14 Dec 2007 22:02:05 +0100

---

I'm not sure if I understand your question correctly, but in the
snort.conf file, you should set $HOME_NET to 192.168.1.0/24 and
EXTERNAL_NET to !$HOME_NET. I wouldn't recommend ignoring local traffic
as Snort can do wonders for detecting malware trying to connect out from
the host/host network. If you still get a lot of false positives, try
and tweak the rules or create your own in order to get your desired results.

Jonathan Askew JBASKEW wrote:

I am new to IDS and have just set up snort on a ubuntu host. It has worked
well except for the fact that I am getting some false positivies from local
traffic on the network. I have been trying to find the solution on snort's
forums but the site seems to be going up and down randomly. I want to set a
rule in order to suppress/ignore local network traffic for 192.168.1.0/24.
I know this can be done in the /etc/threshold.conf file but have not been
able to do so successfully. Can someone be so kind as to post their
threshold.conf file or guide me through the process?

Thanks,
Blake


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


__________ NOD32 2724 (20071214) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

---

• References:
  • Snort Network Suppression
    • From: Jonathan Askew JBASKEW

• Prev by Date: RE: Snort Network Suppression
• Next by Date: Re: Snort Network Suppression
• Previous by thread: RE: Snort Network Suppression
• Next by thread: Re: Snort Network Suppression
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: HIDS/HIPS Selection Process ... network based, many of the same considerations are suggested. ... Subject: Re: HIDS/HIPS Selection Process ... > with real-world attacks from CORE IMPACT. ... (Focus-IDS) RE: Scan for "outsider" Pcs on network ... If all he wants is to find out when new machines show up, ... If he is interested in more control, he needs a strict network as you ... with real-world attacks from CORE IMPACT. ... (Focus-IDS) RE: Scan for "outsider" Pcs on network ... If all he wants is to find out when new machines show up, ... If he is interested in more control, he needs a strict network as you ... with real-world attacks from CORE IMPACT. ... (Focus-IDS) RE: IDS ... product which not only sets the patch management ... network to go through a compliance check on things ... with real-world attacks from CORE IMPACT. ... (Focus-IDS) Re: Wired detection of rogue access points ... I know it's not an easy job to fingerprint in this way. ... Every network device has some fingerprint in the way that it interacts ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ... (Focus-IDS)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2007-12