Home Net
-
How can I create a Home Net list on Snort without some IPs, so that I can block those internal IPs?
-
First, create an alias under Firewall > Aliases containing all the networks and/or IP addresses you want in HOME_NET. Next, go to the PASS LIST screen (I know, it is a little counter-intuitive … ;) ) and create a new PASS LIST. Name it "custom_home_net" or something that makes sense for your case. Uncheck all the options (unless you want to keep a few) and then add the alias you created earlier in the provided Address text box at the bottom. Save the new list.
Now go to the Snort INTERFACE SETTINGS tab for the interface where you want to use this custom HOME_NET. In the HOME_NET drop-down selector, choose the list you created in the steps above. Save the change and then restart Snort on that interface. That should do it.
Bill
-
Hi Bill, thanks for the answer, but I had already done that and it keeps adding my internal IPs to the Home Net list even though they are not in the alias.
-
Problem solved. By selecting the custom_home_net in the pass list drop-down selector on snort interface I could block internal alerts source IPs. Thanks for your help.
-
Problem solved. By selecting the custom_home_net in the pass list drop-down selector on snort interface I could block internal alerts source IPs. Thanks for your help.
Yes, this part is key (selecting the desired custom list on the INTERFACE SETTINGS tab). Simply creating a list on the PASS LIST screen is not enough. You must then tell Snort (or Suricata, if using that package) to use the new list.
Bill