snort-users May 2008 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: [Snort-users] Excluding a single IP from HOME_NET

[Snort-users] Excluding a single IP from HOME_NET

From: Cees <celzinga_at_nospam>
Date: Thu May 29 2008 - 15:25:02 GMT


Is it possible to exclude a single IP from HOME_NET?

Imagine a network that uses the range, and HOME_NET and EXTERNAL_NET are defined as follows:

var HOME_NET []

Now image all clients connect to the internet via a proxy server, eg The problem arises that this setup won't detect any malware infections, since (allmost) all malware rules are written for client in HOME_NET accessing EXTERNAL_NET, eg:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:".1"; within: 40; reference:url,; classtype: trojan-activity; sid: 2000930; rev:7;)

Is there any way to exclude the proxy server from HOME_NET?

An ideal solution would be something like: var PROXY_SERVER = []

However, this syntax results in an error in the sfportscan preprocessor: ERROR: snort.conf(x) => Invalid ip_list to 'watch_ip' option (snort 2.8.1)

Any ideas?

Thanks, Cees

This email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008.

Snort-users mailing list
Go to this URL to change user options or unsubscribe: Snort-users list archive: